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BY ALEX HANDY 

The Apache Software Founda- 
tion announced in mid-Decem- 
ber that Geronimo 1.0, the 
open-source J2EE application 
server, was ready for release. 
The news was sent out slight- 
ly ahead of the actual com- 
pletion date, however, and 
Geronimo quietly remained 
hidden until the day after 
Christmas, when the software 
was finally declared fit for pub- 
lic consumption. 

Dain Sundstrom, IBM's 
chief architect of Gluecode and 
a member of the Geronimo 
project management commit- 



tee, said IBM donated the ini- 
tial Eclipse tooling for Geroni- 
mo, and also donated code for 
Geronimos new management 
console. The latter code origi- 
nally came from Gluecode, 
which IBM acquired in May. 
Gluecode is a production-ready 
open-source Java app deploy- 
ment platform. IBM has kept 
its contributors on the project. 

Sundstrom is one of those 
contributors, and he said that 
the new management console 
shows off the direction in which 
Geronimo will be heading. 

Yet despite Sundstrom s ded- 
► continued on page 16 



Major Vendors 
To Build SOA 
Object Model 

Claim proposed Service Component 
Architecture will ease service creation 



BY EDWARD J. CORREIA 

A group of companies is 
attempting to extend SOA spec- 
ifications to include a language- 
neutral object model, over 
objections that the effort is 
redundant to work already 
being done in the Java Commu- 
nity Process. 

The proposed Service Com- 
ponent Architecture (SCA) and 




SCA will abstract language-specific 
APIs, says lona's Newcomer. 



the related Service Data 
Objects (SDO) specifications 
are intended to simplify the cre- 
ation of business services for 
accessing data stored in multi- 
ple locations and formats. The 
effort is being spearheaded by 
BEA, IBM, Iona, Oracle, SAP, 
Siebel, Sybase, Xcalia and Zend. 

Iona CTO Eric Newcomer 
said the project will help to 
bridge the gap between the 
kinds of service interfaces devel- 
opers are looking to build and 
the language-specific objects 
or programs that typically exist 
in the enterprise. "Web services 
[are] about interfaces for 
messaging," Newcomer said. 
"Behind those interfaces can be 
Java, C++ or whatever, but you 
might have to do a lot of coding 
to implement what you have in 
that service interface." 

Most Web services tools, 

Newcomer explained, start with 

► continued on page 22 



RUBY'S BEEN 
WORKIN' ON 
THE RAILS 

BY ALEX HANDY 

Ruby on Rails, the Web appli- 
cation framework that reached 
version 1.0 in mid-December, 
has gathered a full head of 
open-source steam over the 
past year, and numerous lumi- 
naries of the Java community, 
such as Bruce Tate and David 
Geary, have headed to Ruby, 
thanks to a development envi- 
ronment that's been called both 
quick and easy. 

"I think Ruby on Rails has a 
► continued on page 18 



SOX Compliance Will Cost 
Companies US$6 Billion 

Developer impact will remain next 
to nil, AMR research report shows 



SHELLING OUT 
BIG BUCKS 
FOR SOX 



BY JENNIFER DEJONG 

Companies are expected to 
spend US$6 billion on Sar- 
banes-Oxley compliance efforts 
this year. But such expenditures 
aren't likely to impact develop- 
ment teams. 

Of that total figure, technolo- 
gy spending accounts for 32 per- 
cent, or $1.9 billion, said John 
Hagerty, a vice president at 
AMR Research, the Boston- 
based company that conducted 
the SOX spending survey. Two 
software categories — compli- 
ance management and continu- 
ous controls monitoring — are 
expected to dominate technolo- 
gy expenditures, the survey 
found. Both operate essentially 
as stand-alone auditing tools and 
are aimed at top executives and 



financial managers. As a result, 
they have "very little impact on 
developers," said Hagerty. 

Designed for CFOs, compli- 
ance management software 
keeps track of the controls a 
company has in place to prevent 
fraud. Controls apply to how 
business processes are carried 
out, and many are concerned 
with segregation of duties, said 
John Verver, president of profes- 
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sional services at ACL, a Vancou- 
ver, British Columbia-based 
company that provides auditing 
software and services. For 
► continued on page 17 
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Komodo Walks Away From Microsoft Support 

ActiveState drops Visual Studio plug-ins for Perl, Python, XSLT; adds Ruby on Rails to IDE 



BY ANDY PATRIZIO 

The ActiveState giveth, the 
ActiveState taketh away. 

With the latest release of its 
Komodo IDE for dynamic lan- 
guages such as Perl and Python, 
ActiveState has jettisoned sup- 
port for Visual Studio, citing a 
release-schedule conflict and a 
lack of customer interest. 

ActiveState also announced 
in December that it would 
drop its engineering support 
for the Visual Perl, Visual 
Python and Visual XSLT plug- 
ins in Visual Studio 2002 and 
2003, and that there will be no 
upgrade for VS 2005. 

The source code of aban- 
doned software projects has 
often been released as open 
source, allowing the communi- 
ty that remains to continue at 
least some level of support for 
the code, if not continuing 
development. However, the 
plug-ins incorporate source 
code from Visual Studio, so 



ActiveState says it cannot 
release the source code. 

Part of the problem was tim- 
ing conflicts, due to the release 
schedules of Visual Studio and 
Komodo, but the primary rea- 
son for ending support was that 
Komodo's customers weren't 
interested enough to make the 
effort worthwhile, said David 
Asher, CTO for ActiveState. 

"With the next version of 
Visual Studio, it was a sig- 
nificant amount of work to 
ensure compatibility... but peo- 
ple weren't interested. People 
going into Visual Studio .NET 
were going with the full intent 
to be .NET everywhere. They 
just weren't that interested in 
doing Perl or Python, so we just 
decided to focus on our main 
IDE," he said. 

RAILS MORE PRODUCTIVE 

Komodo 3.5, released in 
December, adds support for the 
Ruby language and Ruby on 



Rails, an application 
framework gaining 
popularity as a light- 
weight alternative 
to J2EE. 

"Java has built sig- 
nificant complexity 
and infrastructure, 
which probably makes 
sense in some set- 
tings, but the majori- 
ty of Web-based apps 
don't need that level 
of complexity and 
sophistication," said 
Asher. "People find 
they are more pro- 
ductive with Rails 
than they are with 
J2EE." 

In addition, Ko- 
modo offers Multilin- 
gual Input Method 
Editor (MIME) sup- 
port for foreign language 
characters, and support for Mac 
OS X 10.4 (Tiger) and 10.3 
(Panther). 
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The addition of Ruby on Rails should increase developer efficiency, says company. 



Komodo 3.5 is available on 
Linux, Mac OS X and Windows 
for US$29.95 for the Personal 
Edition or $295 for the Profes- 



sional edition, which adds 
source code control, a GUI 
builder, shared tool box and 
Solaris support. I 



When are software security practices an active part 
of your application development process? 



During requirements gathering 


1 1 1 1 

46.6% 




During architecture/design phases 59.0% 


During the programming phases 56.8% 


During the test/QA cycles 55.8% 


During acceptance testing 37.6% 






During deployment 39.4% 






Post-deployment 32.4% 






Not at all 


7.5% 













Developers, Managers 
Trust Homegrown Apps 

Study shows more than half believe apps are secure 
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Which of the following software security test tools 
do you use currently? 



60 



Access controls 




43.0% 


Q A/test software 




39.9% 




Encryption tool 


39.3% 




Source code analyzer 


32.2% 




Network single sign-on 


32.2% 




Web single sign-on 








Web application security software 


29.1% 






Vulnerability testing tool 


25.9% 






Enterprise security management 


23.0% 






Attack simulation 


22.2% 






Host/legacy single sign-on 


19.1% 








Security defect analysis 


18.9% 








Risk management tool 


18.3% 








Anti-piracy tool 


15.7% 








Hardware locking tool (dongle) 


15.3% 








Compliance management tool 


15.3% 








Obfuscation tool 


14.5% 








Automated error prevention 


11.4% 








Code analysis service 
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Provisioning 


9.2% 
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BY ALAN ZEICHICK 

The software development 
industry is split evenly between 
companies that say they invest 
sufficiently in software security 
practices, and those that say 
they don't invest enough. That's 
according to a new study from 
BZ Research, a division of BZ 
Media, publisher of SD Times. 

According to this research, 
completed in December 2005, 
37.5 percent of developers and 
development managers say that 
their company invests the 
appropriate amount in software 
security practices, and 8.9 per- 
cent say they invest more than 
is required. However, 45.5 per- 
cent say that their company 
doesn't invest enough, and 8.1 
percent aren't sure. 

The study includes respons- 
es from 636 individuals, and has 
an accuracy of (+/-) three per- 
centage points. 

Even though many compa- 
nies don't invest enough in soft- 
ware security practices, say 
respondents, most software is 
tested for security. In fact, 31.1 



percent said that all homegrown 
software is tested for security; 
19.4 percent said that more than 
half of software is tested, and 
26.1 percent said that some, but 
less than half, is tested. Only 10.7 
percent said that none of their in- 
house software is tested for secu- 
rity; 6.0 percent weren't sure. 

This amount of testing gave 
rise to strong confidence in the 
security of internally written 
applications, as 29.9 percent of 
respondents characterized such 
software as "totally secure" or 
"very secure." Another 27.5 
percent called it "secure," 18.4 
percent said it was "somewhat 



secure," 7.6 percent said "not 
very secure," and only 1.3 per- 
cent described such applica- 
tions as "highly insecure." The 
remainder didn't know or didn't 
develop software for internal 
consumption. 

"We rely heavily on the 
built-in security of the host 
operating system and host net- 
works," said one respondent. 
"Beyond that, we use individual 
user-ids, expiring passwords, 
SSL, and test that Web pages 
cannot be accessed outside of a 
valid log-in." Another replied, 
"[Security] is not adequate. The 
► continued on page 14 



Is security testing considered to be a distinct part of your 
company's software development process? 



Don't know/ 
Other 



Source: BZ Research 




Yes, for all internally 
developed applications 

Yes, for most 
(more than half) of 
internally developed 
applications 

Yes, for some (less 
than half) of internally 
developed applications 
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Kenai: ExamineSOA Enterprise Automates Testing 

Claims high-end tool extends compliance analysis capabilities to architects, QA testers 



BY ANDY PATRIZIO 

Kenai Systems has filled out its 
product lineup of automated 
Web services testing tools with 
the release of ExamineSOA 



Enterprise, which allows testing 
of Web services for compliance 
with security policies and best 
practices by nonsecurity experts, 
such as architects or QA testers. 



The point-and-click solu- 
tion can read testing template 
files from Kenai's entry-level 
ExamineXT and midrange 
ExamineSOA products. 



The tool works by capturing 
the policies to test against in Web 
services. Once the tests are con- 
structed for such things as valida- 
tion, encryption and checking for 
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a valid signature, they can be 
saved as scripts for testing future 
applications that anyone in the 
development chain can run. 

"This allows you to capture 
the learning process as you 
make these tests and codify 
them as policies. It will allow 
you to lower the hurdle of secu- 
rity for some folks," said Kenai 
CTO Jack Quinnell. By setting 
up tests for security exploits 
and compliance, applications 
can be tested well before they 
reach the testing or deployment 
stage, he added. 

In addition to the ability to 
create custom tests, Examine- 
SOA Enterprise comes with a 
shared library of basic test tem- 
plates, including vulnerability 
profiles, policies, test suites and 
test results. 

ExamineSOA Enterprise sup- 
ports testing for compliance with 
regulations such as Sarbanes- 
Oxley, Gramm-Leach-Bliley and 
HIPAA. Also, Web services can 
be tested against industry stan- 
dards such as WS-Policy and 
WS- Security. The SQL tests can 
perform SQL injection tests 
against Microsoft SQL Server, 
MySQL and Oracle. 

ExamineSOA Enterprise can 
compare test results from multi- 
ple tests, so developers and 
testers can measure how much 
closer they come to compliance 
with subsequent tests. Testers 
also can run a single test saved in 
a batch. 

Kenai built a migration path 
between ExamineSOA Enter- 
prise and its previous releases. 
All three can import and export 
test templates and test results 
from each other. However, only 
Enterprise has a shared database 
function, so test results can be 
published for others to view, said 
Quinnell. 

ExamineSOA Enterprise is 
available now for US$1,995. I 
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Mac OS: PowerPC-to-lntel Switch Not Entirely Smooth 



BY ALEX HANDY 

Chuck Rogers has had a pretty 
difficult autumn. As the chief 
evangelist for MacSpeech, mak- 
er of the MacSpeech speech 
recognition package for Mac 
OS, he's learned firsthand that 
moving to the Intel platform 
isn't going to be as easy as he'd 
first hoped. 

Despite Apple's responsive- 
ness in dealing with the transi- 
tion, MacSpeech still has not 
been able to complete the move. 

In September, Rogers began 
a move from CodeWarrior to 
Apple's Xcode. "Once we're in 
Xcode, I think it will be easier to 
make improvements," he said. 
"If you use a development tool 
that's developed by the people 
who make the OS, you're going 
to be much more in sync with 
the OS." 

But after three months of 
work, Rogers now feels that the 
transition will not be complete 
until the end of 2006. He blames 
the delay on the nature of his 
product, and on Apple, but he's 
not complaining about either. 

"Speech recognition requires 
support from Apple which they 
don't have yet," said Rogers. 
"We started the process, but 
Apple found that they had some 
resources for speech input, 
things that they hadn't complet- 
ed yet. It's also a matter of get- 
ting our stuff over to Xcode. It's 
not difficult, it's just time-con- 
suming." 

Rogers added that his soft- 
ware experiences no slow- 
downs when running under 
Rosetta, Apple's stop-gap mech- 
anism for running PowerPC 
code on Intel hardware. Rogers 
has been using an Apple/Intel 
development machine. "We're 
planning on doing some com- 
patibility testing at the labs at 
Apple. We're not anticipating 
much of a slowdown, unless 
Apple does something dramati- 
cally different in the architec- 
ture of the machines they're 
sending. We can't guarantee it, 
but we don't anticipate any 
problems." 

THUMBS UP 

Not all Macintosh developers are 
having the same troubles as 
Rogers. Rich Siegel is the CEO 
and founder of Bare Bones Soft- 
ware, which develops and mar- 
kets a popular text editor. He 
said that his team has completed 
the transition with few problems. 



Back in September, Siegel 
told SD Times that Apple "had 
the OS up and running for so 
long, and because the funda- 
mental architecture of the OS is 
different, everything is abstract- 



ed. It's much easier to adapt 
your code for a new CPU archi- 
tecture because the OS really 
protects you from all that. I 
think if they had tried to switch 
from PPC to Intel back in the 



[Mac OS] 8 or 9 days, it would 
have been a much bigger chal- 
lenge for a lot of people." 

Siegel said that his company 
has weathered the switch, and 
gives the process a thumbs up. 



"We did all of the initial work 
up-front. We've gotten really 
good feedback from the Apple 
engineers who wanted BBEdit 
in the transition kit. By itself, it 
was very straightforward." I 
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News Briefs 




NEW PRODUCTS 



NextApp has announced the availability of its EchoStudio2 visual 
development tool and the open-source Echo2 Web Framework. The 
fTI II IJI company claims that Echo2 performance is dra- 

M — ntjAIJlP |l matically improved thanks to an AJAX-based ren- 
dering engine; EchoStudio2 is based on Eclipse 3.1 .. . Integration 
solutions developer lona Technologies and ObjectWeb have reached a 
third major milestone in the Celtix open-source enterprise service 
bus project. The tool increases its transport capabilities with a com- 
plete implementation of HTTP 1.1 and support for Servlet Transport, 
which permits the movement of remote objects from within a servlet. 
The project also has added command-line tools for WSDL-to-Java and 
Java-to-WSDL conversions. 



UPGRADES 



Rosebud Management Systems has released Eden Server 4.0, a full- 
featured COBOL/CICS emulator. Eden Server 4.0 has addressed per- 
formance issues and provides direct access to all Eden-based CICS 
transactions via the Web. It also expands batch process capabilities 
with full support for MVS JCL concepts and constructs, such as in-line 
procedures, return code checking and batch utilities like IDCAMS and 
SORT/MERGE . . . Jaluna, co-founder of the Linux Phone Standards 
(LiPS) Forum, has released Linux Edition OSware version 2.0 to sup- 
port the latest ARM9 processor. Features include . ^.I . .^ — 
operating system independence; a unified modem J aiul lc 
stack for multiple operating systems; and advanced functionality, fea- 
tures and security for consumer applications . . . 4D, maker of soft- 
ware solutions for developing and deploying database applications, 
has announced the release of 4th Dimension 2004.3. Enhancements 
include an integrated mirroring system, which provides backup and 
recovery for data, debug logging capabilities and numerous bug fixes 
. . . ObjectAda 8.2, the latest version of ObjectAda Windows for 
VxWorks on PowerPC processors, has been launched by embedded 

^Fl j*" 1 * tools maker Aomx - I* includes an 

■ jl %' JlTmi't TAf 1m enhanced compiler with reduced com- 
^^^ pile time and a new debugger for Wind 

River's Tornado 2.x IDE and VxWorks 5.x RTOS . . . Excelsior has 
released JET 4.1, a high-performance Java runtime environment. JET 
Optimizer translates Java application classes and .jar files into high- 
performance native executables resistant to reverse engineering 
. . . Microsoft has released the third Community Technology Preview 
version of Vista. The preview allows Microsoft to gather feedback on 
the new operating system more quickly. Testers will see new features, 
including Windows Defender, an update to Windows AntiSpyware; Bit- 
Locker Drive Encryption, to protect data on computers when lost or 
stolen; and tighter control over removable storage devices. 



PEOPLE 



Roy Bedlow has been appointed VP for Europe, Middle East and Africa 
at Palm Inc. Bedlow is based at Palm's EMEA headquarters in Woking- 
ham, U.K. He was previously the director of Palm EMEA's Wireless 
Business Unit, where he was responsible for the Treo family of smart- 
phones and alliances with leading operators throughout Europe 
. . . Peter Clare has joined Apacheta as CTO. He was an early Oracle 
employee and a member of the senior management team that helped 
build that company. 



STANDARDS 

J L 



Object Management Group advanced a number of specifications at its 
December meeting. The Business Process Modeling Notation, which 
came under the auspices of OMG when it merged with BPMI.org in 
June 2005, is now in final adoption phase. The CORBA Component 
Model, with interfaces to control real-time quality of service, complet- 
ed its member evaluation and started the sequence of votes leading to 
formal adoption. And, the OMG members initiated an adoption process 
to update the Common Warehouse Metamodel, a widely used data 
modeling specification. I 



Aware of the Needs 
Of Installation Users 

Experience key to InstallAware update 



BY DAVID RUBINSTEIN 

Claiming its main competitors' 
focus has shifted away from 
installation technology to 
licensing, InstallAware Soft- 
ware last month released 
InstallAware 5 for Windows 
Installer, with support for SQL 
Server Express 2005 and new 
scripts for collaboration. 

The acknowledged leader in 
installation software is digital 
rights management provider 
Macrovision, after its acquisi- 
tions of InstallShield and Zero G 
Software in the past two years 
gave it cross-platform capability 
and a lion's share of the market. 
But Sinan Karaca, InstallAware s 
chief architect, said Macrovi- 
sion's focus "isn't on installers 
anymore." In a news release 
announcing InstallAware 5, 
Karaca said, "Installations them- 
selves have had to take a back 
seat in their new display of copy- 
right protection technologies, 
much to the dismay of the setup 
developer." 

Macrovision last month 
released InstallShield 11.5, with 
an update that helps developers 
working apart from one another 
capture and share installation 
requirements as they write code. 

Karaca said InstallAware 5, 
first released in April 2004 for 



creating installations on Win- 
dows, .NET, IIS and SQL Serv- 
er platforms, improves the user 
experience with compression, a 
feature he claimed can reduce 
the size of an installation by 
three-quarters. "There's less 
time loading, and it's a better 
experience," he said. 

The software also allows for 
what Karaca called partial 
Web deployment. "Traditionally 
when you Web-deploy, you 
put out everything," he said. 
"The user downloads an empty 
stub — setup.exe — which con- 
nects to the Internet and down- 
loads the main application and 
all the additional runtimes. 

"We believe a Web deploy- 
ment should be self-contained," 
he continued. "When you build 
a setup with InstallAware, you 
choose what goes in. If you 
already have a particular run- 
time downloaded on your 
machine, why should it be 
downloaded again and again 
with each application?" 

InstallAware uses genuine 
scripting for Windows, which 
Karaca claimed helps Windows 
Installer work more intelligent- 
ly. "Say you want a setup to fork 
while installing — Tf it's a Win- 
dows 2000 system, take a cer- 
tain path. If not, take a differ- 



ent path.' It's extremely hard to 
do [that] in Windows Installer." 
Genuine scripting lets develop- 
ers write a script that allows 
the setup to perform such 
actions at runtime, with all 
actions going through Windows 
Installer. 

Among the new features in 
version 5 is the ability to install 
SQL Server Express 2005 as 
part of a setup, while reducing 
the runtime to 60 percent of its 
original size, Karaca claimed. 
The addition of Include Scripts 
allows teams to share setup 
scripts or create a setup library. 
New Instance Transforms 
enable the installation of multi- 
ple versions of software on the 
same machine. 

InstallAware 5 is available in 
four editions, starting at US$199 
for the Express edition, a single- 
user version with a visual set- 
up process. The Developer edi- 
tion adds genuine scripting for 
Windows; a Studio edition adds 
debugging and 14 customizable 
setup themes with a dialog 
designer; and an edition called 
Studio Admin enables users to 
open existing setups and 
customize or reverse-engineer 
them, and to build setups on 
end-user machines without buy- 
ing additional licenses. I 
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InstallAware Studio Admin lets users customize or reverse-engineer existing installation setups. 
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Seagull Gets CICS Out of Mainframe 

LegaSuite tools wrap transactions for use in Web services world 



BY DAVID RUBINSTEIN 

While the season for wrapping 
presents is passed, Seagull Soft- 
ware last month declared an 



open season for wrapping CICS 
transactions as Web services, 
with the release of its newly 
integrated LegaSuite for CICS. 



LegaSuite is made of an 
integration server module, a 
GUI server module and a 
business process management 



engine module, according to 
Kim Addington, Seagull's exec- 
utive vice president and chief 
marketing officer. 
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"It's middleware from an 
application stack perspective, 
but it can sit on the host or 
on another server in a distrib- 
uted environment," she said, 
noting that the software sup- 
ports native CICS mainframe 
apps, or can run off the main- 
frame in distributed environ- 
ments. She cited BE As Web- 
Logic and IBM's WebSphere 
application servers as well as 
NetWeaver and middleware 
from Sun (SeeBeyond), TIB- 
CO and WebMethods as envi- 
ronments in which LegaSuite 
can be placed. Addington said 
her company has even had calls 
from customers that want to 
wrap client/server functions 
from the .NET environment 
into callable Web services. 

Addington said Seagull 
believes the industry is at an 
important point in terms of the 
adoption of service-oriented 
architectures, but added that 
dealing with legacy systems has 
been an impediment. "With 
LegaSuite, you can publish a 
legacy service in one day with 
no code," she claimed. Other 
integration vendors require a 
significant amount of coding to 
tie to legacy systems, and then 
only provide access to the data, 
Addington asserted. LegaSuite, 
with its BPM engine, can help 
businesses clear stacked-up 
change orders and provide an 
audit trail, tracking, logging and 
approval without changing any- 
thing in the underlying applica- 
tion, she said. The suite also 
includes modeling tools so busi- 
ness analysts can design the 
processes. 

LegaSuite takes the CICS 
transaction, ignores the pre- 
sentation layer, wraps the 
information for input and out- 
put, and publishes it as WSDL 
description, XML, a Java bean 
or a .NET component, said 
Ardy Franssen, vice president 
of product management. For 
CICS transactions that need a 
screen layer, LegaSuite can 
use the screen's input and out- 
put formats as a means to 
access the host data, she 
explained. 

License fees for LegaSuite 
development tools range from 
US$5,000 to $18,000; the run- 
time software price is deter- 
mined by the platform, start- 
ing at $50,000. I 
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Delphi Comes Together as a Model for .NET Development 



BY ANDY PATRIZIO 

For its 10th birthday, Borland 
Software gave Delphi 2006 its 
Together Modeling tool and 
some automation features de- 
signed to increase the speed of 
development and reduce time 
spent on tedious tasks. It also 
gave it three new names. 

For the first time, Delphi 
supports UML 1.4, 1.5 and 2.0- 
based modeling, and according 
to Borland, Delphi 2006 is the 
first UML-based environment to 
target .NET languages. Micro- 
softs modeling tool does not sup- 
port UML, and Visual Studio 
gets UML capabilities only from 
third-party add-in providers. 

Applications are designed in 
the Together Modeling tool, and 
code is generated based on the 
forms, data fields and the calls or 
connections between the differ- 
ent forms. Delphi 2006 includes 
the latest version of Borland's 
Enterprise Core Objects, ECO 
III, which brings persistence to 
.NET objects and allows for test- 
ing of an application while it is 
still in model form. Previous ver- 
sions of ECO required that mod- 
eled applications include busi- 
ness and user interface logic 
before they could be executed. 

The IDE inspects all of the 
methods and interfaces for 
errors, to enable function test- 
ing and debugging at the same 
time, and much earlier in the 
development process, accord- 
ing to Rob Cheng, director of 
product marketing at Borland. 

"Integration of Together 
technology with [Delphi 2006] 
provides developers a way to 
design and build apps at a much 
higher abstraction level, where 
it's mostly models and visual 
representations of how things 
are laid out in the app. It makes 
for faster application develop- 
ment," he said. 

Delphi 2006 also automates 
audits and metrics of the code, 
so code can be compared 
against industry best practices, 
such as Gang of Four best prac- 
tices. The IDE will offer sug- 
gestions for improvements. 

Another new feature is auto- 
matic document generation. The 
tool will inspect all methods, 
interfaces and APIs to make, if 
not full documentation, then at 
least the skeleton of documenta- 
tion that covers all of the meth- 
ods, inputs and outputs of the 
application. Technical writers or 
programmers can then fill out 



the rest of the information on the 
application's structure. 

BY ANY OTHER NAME 

Unwilling to abandon estab- 
lished product names, Borland 



will continue to offer four sepa- 
rate products — Developer Stu- 
dio, Delphi 2006, C++Builder 
2006 and C#Builder 2006— 
with identical pricing and func- 
tionality. Over time, only the 



Developer Studio name will 
remain. 

Delphi 2006 comes in three 
editions: Architect, Enterprise 
and Professional. Architect is the 
top-of-the-line product. New 



licenses cost US$3,490 and 
$2,290 for upgrades. Enterprise 
costs $2,490 for new customers 
and $1,500 for upgrades. Profes- 
sional costs $1,090 for new 
licenses and $460 for upgrades. I 
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Not Just for Rational: Essential Unified Process 



Ivar Jacobson 



A UML 'amigo' discusses the lighter, 
platform-agnostic version of RUP he is developing 

work as virtual mentors. 



BY JENNIFER DEJONG 

Best known, along with Grady Booch 
and James Rumbaugh, as one of the 
"Three Amigos" who co-invented the 
Unified Modeling Language, Ivar 
Jacobson announced late last year that 
he is developing the Essential Unified 
Process. Recently, SD Times spoke to 
Jacobson about his work. 

SD Times: What is the Essential Unified 
Process? 

Ivar Jacobson: It makes use of experi- 
ence and knowledge gained from RUR 
But everything that is not absolutely 
necessary goes away. We don't reuse 
any of the material. We throw away 
everything that is heavy. 
Can you give me an example of something 
that is heavy? 

For example, RUP includes thousands 
of pages [of guidance and knowledge]. 
But people don't read it; it's too much 
for people to think about. Essential 
will include no more than 200 pages. It 
will keep the core ideas of RUP. [A 
concept known as] intelligent agents 
will also play a role. They will deliver 
pages only as you need them. They 



What are the core ideas of RUP? 

There are five: components; models; 
iterative and incremental; architecture; 
use cases. [RUP is based on] compo- 
nents and models. It is iterative and 
incremental, and it is architecture and 
use-case driven. If you focus on archi- 
tecture early in the life cycle, there is 
less need for refactoring. When you 
identify use cases up-front, they give an 
automatic project plan. 
In late November you announced plans to 
deliver Essential UP for Visual Studio 
Team System. But Essential UP isn't 
designed solely for Microsoft developers, 
is it? 

No. It is generic knowledge that can be 
instantiated in different platforms. 
Is Jaczone [the software company Jacob- 
son co-founded with his daughter Agneta 
in 2000] or any other company working 
on a version of Essential UP for the IBM 
Rational Software Development Platform? 
We want to spread the core practices 
that will be part of Essential Unified 
Process as widely as possible to help the 
many organizations that may benefit 
from them. Thus, we have partnered 



with Microsoft to make them available 
to the .NET world. We have also part- 
nered with IBM to make the part of 
RUP that they donate to Eclipse (called 
Basic UP) as successful as possible. 
When do you expect to deliver the Essen- 
tial UP for Visual Studio Team System? 
We are targeting to release at the end of 
the first quarter of 2006, or the begin- 
ning of the second quarter. 
Can you describe the typical architect/ 
developer that is likely to use Essential 
UP? 

I first have to be cautious about the 
word "typical." But I would say that 50 
to 60 percent of the projects that will 
use the Essential Unified Process could 
be described as typical. A typical pro- 
ject has a team of five to seven people 
and a length of six to nine months. The 
typical project is an application on top 
of a well-known platform, including 
middleware. However, the Essential 
Unified Process will be designed to also 
work well for new creative solutions, 
such as developing intelligent agents to 
support a banking application. 
Some members of the UML community 
have said the language has grown too 
large, noting that most architects/devel- 
opers use only a few of the diagrams. Oth- 
ers point out that UML is solving 




extremely complex problems, and its 
broad scope is therefore necessary. Where 
do you stand on this issue? 

I used to say that 80 percent of all pro- 
jects need just 20 percent of UML. I 
think UML 1.1, which was designed 
back in 1997 by a team including Grady 
Brooch, Jim Rumbaugh and myself, 
was quite good. It needed to stabilize 
for several years before it went through 
a major redesign and extension, which 
► continued on page 24 
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Compuware Revs Up 
CARS, QACenter 

Adds ability to run tests from Web r 
integrate with other RM offerings 



BY JENNIFER DEJONG 

Compuware continues to soup 
up its CARS and other quality 
assurance offerings. 

The Detroit-based compa- 
ny last month announced ver- 
sion 5.1 of both CARS and 
QACenter Enterprise Edition. 
New to both is the ability to 
build and execute test scripts 
from a Web browser, and to 
integrate with requirements 
management tools from Bor- 
land, IBM, SteelTrace and 
Telelogic, said Mark Eshelby, 
quality solutions product man- 
ager for Compuware. 

QACenter Enterprise Edi- 
tion, which starts at US$8,000 
per user, includes Com- 
puware's Reconcile require- 
ments management tool and 
provides automated testing, 
test management and defect 
tracking capabilities for QA 



teams. CARS includes QACen- 
ter, methodology and best 
practices advice, and also deliv- 
ers key quality metrics to line- 
of-business executives. Unlike 
the previous release, CARS 
5.1 incorporates Changepoint, 
Compuware's tool for manag- 
ing IT projects and costs. 
CARS is sold on a subscription 
basis, but Compuware did not 
specify pricing. 

Enabling testing profession- 
als to use QACenter from the 
Web is essential for geographi- 
cally distributed teams, assert- 
ed Eshelby. In the past, fire- 
walls made that difficult to do. 
Integration with other tool 
makers' requirements offerings 
lets business users see, for 
example, which features of an 
e-commerce application are 
passing QA tests and which 
ones are failing. "If there's a 50 




QACenter 5.1 helps teams manage testing efforts, prioritizing tests and estimating how long they will take. 



percent failure rate on the 
shopping cart, the business user 
can see that," he said. In the 
past, that was possible only if 
requirements were captured in 
Compuware's Reconcile. 

Also new to QACenter and 



CARS is the ability to calculate 
how long an individual test, 
such as totaling the cost of 
items in a shopping cart, will 
take, said Eshelby. The time 
estimation capability extends 
an earlier feature, which lets 



teams specify which tests take 
priority, and which ones can 
wait. Better test planning is key 
in "the business and technical 
environment, where there are 
lots of dynamics at work," said 
Eshelby. I 
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Study Reveals Trust in Homegrown Apps 



< continued from page 5 

IT department has given up the 
fight to make it adequate. Man- 
agement will not buy into more 
than half-measures (e.g. anti- 
virus software and a hardware 
firewall) after they have been 



hit over the head with the need 
for it." Given the sensitive 
nature of this research topic, all 
names and companies are being 
treated as confidential. 

Another respondent com- 
mented, "Security testing varies 



from one project to another 
depending on who is involved 
and the risk potential. Software 
developed for some projects is 
quite secure, while software for 
other projects may have mini- 
mal security testing." 



The respondents had higher 
confidence in the security of 
software written for internal 
consumption by their own staff 
than software written by con- 
tractors, or purchased as pack- 
aged applications. When asked 
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how secure internally developed 
applications were, 57.4 percent 
called them "totally secure," 
"very secure" or "secure." But 
when asked about applications 
written by contractors, consul- 
tants and outsourcing services, 
only 42.3 percent characterized 
them with one of those three 
ratings. When asked the same 
question about mission-critical 
off-the-shelf or packaged appli- 
cations licensed by the respon- 
dent's company, such apps were 
judged secure by 52.1 percent of 
respondents. 

What types of software test- 
ing do companies perform? 
Nearly three-quarters said that 
their organizations perform 
password/authentications test- 
ing. Just more than half also 
perform manual code reviews 
or walkthroughs, and also per- 
form network testing. About 
42 percent said they perform a 
risk assessment, and about the 
same number do Web services 
testing. 

Specific threats weren't 
always tested against. Slightly 
less than a third test for the SQL 
injection vulnerability and even 
fewer look for buffer overflows. 

"We don't do enough intru- 
sion testing. We tend to test for 
authentication, but not intru- 
sion," said one respondent. 
Another said, "We could do a 
lot more, we have the expertise, 
but our customers are not will- 
ing to pay the extra price." 

Finally, when asked where 
they expect to see their compa- 
nies investing in software secu- 
rity over the next 12 months, 
close to half said they expect to 
purchase tools for assessing 
software security, and more 
than 40 percent said they 
would be adopting more secure 
development methodologies 
and acquiring testing tools for 
improving software security. A 
focus on programmers came in 
lower, with only 38.1 percent 
saying they'd invest in software 
security training for program- 
mers, and 35.4 percent saying 
they would acquire develop- 
ment tools that would help 
with improving software secu- 
rity services. 

What about looking outside 
the organization? Not an option, 
most respondents said. Fewer 
than 1 in 5 expected to use 
external services for testing or 
assessing software security; 16.7 
percent would hire consultants 
to assist with improving soft- 
ware security; and 12.9 percent 
would use external services to 
improve software security. I 
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Web Tools Platform 1.0 Ready for Extension 



BY ALEX HANDY 

AND EDWARD J. CORREIA 

The Eclipse Foundation in late 
December released version 1.0 
of the Web Tools Platform — its 
environment for developing 



J2EE Web applications — declar- 
ing it stable enough for full com- 
mercial deployment. 

The release is the first major 
update to the software since 
version 0.7 was shown at 



JavaOne in early 2005. 

According to Eclipse Foun- 
dation director of marketing 
Ian Skerrett, the tools them- 
selves were stable at that time, 
including those for JavaScript, 



WSDL, JSP, HTML, CSS, SQL 
and XML. "But the team want- 
ed to spend more time on the 
frameworks and on crisping up 
the APIs," said Skerrett. The 
platform API is now suitable for 
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extension by third-party devel- 
opers, he claimed. 

Tim Wagner, senior devel- 
opment manager at BE A Sys- 
tems and the Web Tools Plat- 
form project committee lead, 
said that the committee and the 
vendors behind it hope to make 
WTP the de facto standard for 
Web application development 
environments. 

Of the future, Wagner said 
the next steps will be to enhance 
the development tools, com- 
ponentize WTP features to 
enable subsets to be selected and 
deployed, and keep pace with 
the release of Eclipse version 
3.2, code-named Calisto, planned 
for June. Other goals include 
major documentation and help 
system contributions from IBM, 
important bug fixes and perfor- 
mance improvements. A service 
pack to contain version 1.5 is set 
for February. 

In addition to BEA and IBM, 
major contributors to WTP 
include JBoss, ObjectWeb and 
Oracle. I 

Geronimo App 
Server Hits 1.0 

< continued from page 1 

ication to the Geronimo project, 
he had trouble pinpointing solid 
reasons to prefer Geronimo to 
another open-source app serv- 
er — JBoss. "Until recently," said 
Sundstrom, "we had one big fea- 
ture over JBoss, which was the 
transaction manager, but they 
closed that [gap] by purchasing 
the Arjuna one. The JMS imple- 
mentation we use is far superior 
to the one in JBoss. One of the 
guys who wrote the Active MQ 
that Geronimo uses wrote the 
JBoss one, and learned from all 
of his mistakes." 

Sundstrom said that the 
biggest single differentiator 
between the two is the licens- 
ing. "All the software released 
from Apache comes under the 
Apache Software License, which 
makes it easy for ISVs and com- 
mercial organizations to be able 
to redistribute [code] and add 
their value-adds." JBoss is 
shipped under the Lesser GPL, 
which Sundstrom called "one 
big political hot potato." 

But that doesn't mean that 
the Geronimo team isn't trying 
to stand out from the crowd. 
"Geronimo ships with a bench- 
mark called Daytrader. We're very 
focused on performance bench- 
marks. I think it's a place where 
we'll actually be able to differ- 
entiate with the competition." I 
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Companies to Spend $6 Billion on SOX Compliance 



< continued from page 1 

instance, an employee who has 
the authority to create a pur- 
chase order is not also allowed to 
issue payment. Proving such 
checks and balances exist is criti- 
cal to complying with the Sar- 
banes-Oxley Act of 2002, he said. 
Continuous-controls moni- 
toring software is used by CEOs 
to ensure that such controls are 
working. "The software uses a 
series of analytical tests to deter- 
mine whether a control, such as 
'all invoices over $50,000 must 
be approved by a manager at a 
certain level,' has been complied 
with," said Verver, offering an 
example. Such systems look not 
only at individual transactions, 
but also at patterns. If an 
employee has issued seven pur- 
chase orders at $49,000 each, 
the CEO needs to know that, 
said Verver. 

NOT AS EXPECTED 

Three or four years ago, when 
companies began formulating 
Sarbanes-Oxley strategies, many 
anticipated that developers 
would play a key role in compli- 
ance efforts. But things haven't 
shaped up that way, said Verver. 
Initially, there was a big focus on 
building auditing controls into 
existing systems such as those for 
enterprise resource planning or 
business process management. 
That approach would have 
required significant input from 
developers. "But that hasn't hap- 
pened," he said. 

The presence of controls in 
software designed for other tasks 
doesn't necessarily prove compli- 
ance, and can also get in the way 
of doing business, he said. What's 
more, top executives need to 
own the systems that manage 
compliance efforts. 

In addition, there has been a 
shift in mindset, where senior 
executives have begun to see 
Sarbanes-Oxley and other com- 
pliance initiatives as ongoing 
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efforts, not simply as this year's 
project, said AMR's Hagerty 
"Companies complied last year. 
They will comply this year." 
Compliance and monitoring 
software provide financial man- 



agers and senior executives with 
the tools to do that, he said. 

But spending patterns will 
change this year. The survey 
found that internal labor and 
head count will account for 39 



percent of total 2006 SOX 
spending, a drop of 8 percent 
from 2005 spending, while the 
$1.9 billion to be spent on tech- 
nology represents an increase of 
13 percent. External consulting, 



however, excluding fees for 
financial auditors, will remain 
steady at 29 percent. AMR was 
expected to make available fur- 
ther survey results earlier this 
month. I 
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Ruby on Rails Gains Head of Steam 



i continued from page 1 

lot of promise," said open-source 
analyst and Navica CEO Ber- 
nard Golden. "They give you a 
lot of the infrastructure: My 
term would be they give you a lot 
of the plumbing. Rather than 



creating all the connections, it 
just delivers all that. It gives you 
a huge leg-up in building your 
prototypical database-driven 
Web site." 

Richard Monson-Haefel, a 
senior analyst at the Burton 



Group, has just completed a 30- 
page report on Ruby on Rails. He 
said Ruby is an excellent evolving 
technology that should be con- 
sidered by organizations search- 
ing for new Web frameworks. 
"It offers a very strict Model- 



View-Controller model," he 
said. "But it gives you the ease 
of development a lot of people 
associate with PHR It's much 
easier to maintain than a com- 
plex PHP script or a simple 
J2EE program. J2EE is notori- 
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ously complex, and PHP can be 
tough to maintain because it 
doesn't have a good MVC. It's 
very good for developing Web 
applications very quickly" 

Monson-Haefel pointed out 
some of Ruby on Rails' short- 
comings, which are primarily 
database-related. "1.0 of Ruby 
on Rails did not support com- 
pound primary keys [common in 
relational databases] and has no 
support for legacy databases." 

He said the framework also 
lacks support for two-phased 
commit. "If you're making 
changes to two databases and 
you want them both to roll back 
at the same time, it doesn't sup- 
port that. Only 10 to 15 percent 
of Web applications need that." 

One Web site that has moved 
to Ruby on Rails is the popular 
comic site Penny Arcade (www 
.penny-arcade.com). Webmas- 
ter and system administrator 
Erik Karulf said that when new 
comics come out three times a 
week, Penny Arcade can receive 
an average of 700 unique hits 
a second. Prior to the Ruby 
on Rails transition in November, 
Penny Arcade was a PHP/ 
MySQL-based site. 

"The poor MySQL server 
just couldn't keep up," said 
Karulf. "The first thing we did 
when we switched to Ruby on 
Rails was standardize the tem- 
plate and header and footer, and 
it's made my life a lot easier." 
The entire site, he said, takes up 
about 1,200 lines of code. 

'UNSUNG HERO' 

Karulf also has transitioned 
Penny Arcade to another piece 
of technology that the Ruby on 
Rails community advocates: 
Lighthttpd. "The unsung hero 
of Penny Arcade right now is 
Lighthttpd. The site generates 
the page files once. To do that 
in Ruby on Rails took me two 
lines of code. The scaling is 
amazing on static files." 

Lighthttpd is a smaller alter- 
native to Apache, and is one of 
the two Web servers supported 
by Ruby on Rails. 

Monson-Haefel recom- 
mends Ruby on Rails to his 
clients. "We tell companies that 
it's very productive," he said. 
"We recommend it for depart- 
ment-level Web applications 
and for small start-ups, but not 
for mission-critical super-high 
transaction processing. The 
ecosystem is a little anemic 
in that the number of libraries 
and the types of solutions that 
can be added on top of Rails 
aren't there." I 
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Advertorial -Tablet PC and Mobile PC Technology Driving Enterprise Solutions. 







-~ 



MP 



- 



1^ 



r* 



! ^y- 




■ 



innovation 

within your reach 



; 



Mobile PC applications — including those 
tuned for Tablet PC — are in greater demand as 
users seek new ways to access data anywhere 
and at anytime. Simultaneously, computers are 
designed to be more mobile, used more hours of 
the day and in more relevant scenarios. Analysts 
predict this phenomenon will continue, and IT 
Professionals and Independent Software Vendors 
need to acquire the knowledge and insight to 
determine how best to build and deploy mobilized 
software applications. 

The Tablet PC is the evolution of the notebook 
PC. Designed to meet the mobile demands of en- 
terprise users, Information Technology (IT) profes- 
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sionals, and end users alike, the Tablet PC offers 
the full power and functionality of today's notebook 
PC — with no sacrifices. Powered by a superset of 
Microsoft® Windows® XP Professional, Tablet PC 
offers the robust features and security technolo- 
gies in Windows XP Professional plus additional 
pen-based functionality. With a Tablet PC, you can 
use your computer in new and different ways — 
whether in the office, in a meeting, or on the go. 

Tablet PCs are optimized for your organiza- 
tion's mobile-computing needs and designed to 
let you stay connected to customers, colleagues, 
and critical information in real time, most 
anywhere your work takes you. 

Microsoft Office System extends the capa- 
bilities of the Tablet PC with deep pen and ink 
integration into existing software like Microsoft 
Word and Microsoft OneNote® , where you can 
bring ink, text, and Web content together in 
one program. OneNote and the Tablet PC turn 
note-taking into information management. 
You can save time by using your Tablet PC 
to perform such tasks as sharing notes with 
peers, electronically assigning action items 
from meetings, and turning notes directly into 
summary reports for distribution in e-mail. Ink 
is a first class data type similar to text — users 
need not convert ink notes into text. Because 
recognition occurs in the background, though, 
users can search and sort ink notes as readily 
as text. Users become more productive, saving 
time each day by keeping notes as ink. 

Enhanced Ink-to-Text Experience— 
Because there are times when you do need 
to convert handwriting, Windows XP Tablet PC 
Edition 2005 introduced Tablet PC Input Panel, 
which makes it quicker and easier to convert 



Windows 

ink to text. With Windows Vista™, Microsoft and 
our hardware and software partners continue 
the investment with more pervasive support for 
ink, new-generation hardware, a wealth of new 
features, and third-party software applications. 
You can learn more about Windows Vista at 
www.microsoft.com/vista. 

The Ultimate in Power, Mobility, and 
Versatility — The Tablet PC is everything you need 
in one lightweight package, providing the power, 
mobility, and versatility your workplace demands. 
The Tablet PC is truly one of the most unique 
PCs ever, giving you pen-based digital access to 
the information you use every day, from almost 
anywhere you happen to be. Tablet PC features 
include: 

■ Advanced power management for long battery 
life. 

■ Built-in, zero-configuration wireless capability. 

■ Lightweight design for easy carrying. 

■ Grab-and-go docking. 

■ Fast resume from Standby, for quick access. 

■ The ability to convert handwriting into text and 
insert it into applications. 

■ The capability to search both handwriting and 
text together. 

■ Inclusion of diagrams, charts, graphics, and 
drawings into notes. 

■ Easy use of business forms by using the tablet 
pen to enter data. 

■ Quick navigation with the tablet pen. 

■ The ability to collect digital signatures. 

Like all laptops, the Tablet PC offers a 
complete desktop computer solution. Support for 
keyboards and other common peripheral devices 
— such as external monitors, speakers, and multi- 
media devices — also make the Tablet PC the ideal 
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choice for a primary desktop computer. Of course, 
you can customize a Tablet PC with a variety of 
applications available from industry-leading 
software vendors. For more information about 
features and the specialized vendor software, see 
www.tabletpc.com. 

Compatibility with Existing Windows 
XP-Based Programs— Windows XP Tablet PC 
Edition 2005 offers deep ink integration 
in familiar programs, such as those found 
in the Microsoft Office System. You can add 
ink comments to Word documents, annotate 
Microsoft Office PowerPoint® presentations, take 
digital notes in OneNote, and send ink e-mail 
messages to coworkers and friends. In fact, any 
application that runs on a Windows XP computer 
also runs on Tablet PC. You can also share your 
handwritten notes with other computer users — 
even if they are using a computer other than a 
Tablet PC. In addition, Tablet PC offers support 
for a host of third-party programs that specifically 
enable you to optimize ink capabilities. 

Simplified Enterprise Deployment — 
Because Windows XP Tablet PC Edition 2005 is a 
superset of Windows XP Professional, Tablet PC 
offers the security, reliability, and large-scale de- 
ployment capabilities of Windows XP Professional. 



In addition, Windows XP Service Pack 2 
(SP2) offers security enhancements for 
increased protection for the Tablet PC. All 
current Tablet PC models have Windows 
XP Tablet PC Edition 2005— including 
Windows SP2— preinstalled by OEMs. 
For more information about deploying 
Windows XP Tablet PC Edition 2005, 
see Deploying Microsoft Windows 
XP Tablet PC Edition 2005 on 
www.microsoft.com. 

Seamless Management— Manage 
Tablet PCs just like other Windows XP- 
based computers. Tablet PCs provide 
^^^ Active Directory® directory services, 
remote assistance, and all of the network- 
ing support of Windows XP Professional. Windows 
XP Tablet PC Edition 2005 also has more than 
300 policies that tailor the operating system to 
the enterprise environment. 

Support for the .NET Framework- 
Windows XP Tablet PC Edition 2005 is designed 
in accordance with the Microsoft .NET Framework, 
which ships with every copy of Windows XP Tablet 
PC Edition. It includes the common language 
runtime, which is at the foundation of the .NET 
Framework. The common language runtime is 
an agent that manages code at execution time, 
providing core services, such as memory and 
thread management, while enforcing the strict 
safety and accuracy of the code. 

Powerful Development Platform- 
Windows XP Tablet PC Edition 2005 is a powerful 
platform for developers who are interested in inte- 
grating pen, ink, and speech functionality into new 
or existing programs. Developers can leverage 
their existing knowledge, hardware, software 
tools and Microsoft Visual Studio® to develop 
ink-enabled applications. And many developer 
tools — including the Microsoft Windows XP Tablet 
PC Edition Development Kit 1.7 — are available 
for download at The Tablet PC Developer Center, 
msdn.microsoft.com/tabletpc. 



A More Powerful Work Environment— 

The sum total of all this is that Tablet PCs are 
ideally suited for business users who spend 
much of their day away from their desks — either 
on the road or in meetings — yet need access 
to their information at all times. The lightweight 
design, versatility, support for wireless connectiv- 
ity, and docking support enable mobile workers to 
stay productive wherever they are throughout the 
day. The compatibility of Tablet PCs with existing 
software and support for Windows XP deploy- 
ment resources creates straightforward deploy- 
ments and seamless management of Tablet PCs 
in corporate environments. All this adds up to 
more productive employees, easier resource man- 
agement, and the realization of more potential. 




Learn more about Tablet PC: 

■ IT professionals, visit 
msdn.microsoft.com/tabletpc/itpro 

■ Developers, visit our developer center at 
msdn.microsoft.com/tabletpc 

■ Information workers and end users, visit 
www.tabletpc.com 
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Vendors Back Language-Neutral SCA Spec 



< continued from page 1 

some existing object and gener- 
ate the XML needed for the 
interface and the messaging. 
"But that doesn't always give 
you the granularity to map to 



the business services that you 
need at the business level. 
SCA closes that gap, he said, by 
abstracting the low-level APIs 
that Java or C++ developers 
would otherwise have to code 



directly to specs such as JAX- 
RPC and WS-Addressing. "Java 
developers spend a lot of time 
coding to these specs. SCA 
promises to provide a meta- 
data-based approach that will 



generate a lot of that low-level 
code for developers." Newcom- 
er said SCA will be proposed as 
an Eclipse project. 

But while enthusiastic about 
the effort, Mark Neuhaus, vice 
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president of Java Web services at 
Sun, expressed caution about 
stepping on prior work. "From a 
Sun perspective, SCA is an 
important next step for the com- 
munity; building a component 
architecture for sharing artifacts 
is a good thing. But it also should 
rely on previous work and 
extend it to the next level.' 

Some of that previous work, 
he said, was done as part of the 
Java Business Integration speci- 
fication (JSR 208). "In the evolu- 
tion of Web services toward ser- 
vice-oriented architecture, you 
built on standards: XML, WSDL 
and WS-*. Eventually you have 
to be able to describe what a set 
of Web services are, so you get a 
Web services descriptor." 

In a statement released just 
after the SCA announcement, 
IT research firm Gartner char- 
acterized the endeavor as "an 
attempt to combat one aspect of 
Sun's [JBI] effort by delivering a 
programming model for SOA- 
a non-Java-specific, metadata- 
driven model that describes the 
composition of services ... [that 
are] independent of interoper- 
ability protocols.' 

Newcomer said that while 
there are similarities, he dis- 
agrees with the basic premise 
that JBI is redundant to SCA. 
Iona contributes to both pro- 
jects. "JBI does provide a ser- 
vice interface for components, 
and there are common aspects 
such as the Web services 
descriptor." 

The main difference between 
JBI and SCA, he said, lies in 
their intended purpose. "JBI 
looks to break apart EAI solu- 
tions and standardize assembly 
of integration components, and 
so any vendor can put together 
a best-of-breed solution" using 
components from multiple 
vendors, he said. For example, 
a transformation engine from 
one vendor could be joined to 
messaging middleware from 
another. "SCA is focused on 
helping the enterprise develop- 
er create SOA software at the 
application level." 

'JBI is, in part, for connecting 
systems," countered Neuhaus. 
'But it's also for expressing them 
as services in a SOA." But 
Neuhaus conceded that SCA will 
attempt to accomplish more 
than what JBI was about. "Trying 
to define a more comprehensive 
component architecture for SOA 
apps, that's fine. We would love 
to join as a co-author and bring 
our IP and expertise to help it be 
successful. But we have not been 
offered that opportunity.' 
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SpeeDEV Breaks Into Life-Cycle Management 

Kovair merger bears document 
management, collaboration fruit 
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BY DAVID RUBINSTEIN 

SpeeDEV, a company that once 
focused only on requirements 
and issue management, is look- 
ing to crack into application 
life-cycle management with the 
completion last month of its 
merger with Kovair and the 
release of version 4.5 of its 
namesake platform. 

Kovair provides SpeeDEV 
with document management 
and collaboration capabilities 
necessary for an ALM solution, 
according to SpeeDEV CTO 
Sky Basu. With the new 
release, development organiza- 
tions can store such assets as 
requirements, use cases, test 
cases and test plans, and 
defect-tracking information in 
a single repository, Basu said. 
Also, SpeeDEV 4.5 enables 
organizations to set up their 
own custom assets, such as 
those required for help desk, 



Capability Maturity Model 
integration and IT manage- 
ment. Examples would be sup- 
plier agreements or entry vali- 
dations. The platform, which 
runs on Microsoft SQL Server 
and uses the .NET Framework 
in the middle tier, is accessed 
via a browser so any group or 
location can work with the 
assets, which Basu said can 
help facilitate multisite or out- 
sourced development. 

In the SpeeDEV interface, 
asset categories, such as 
requirement or test case, 
appear in a tree list. Selected 
categories yield an itemization 
of the assets in that category in 
a window next to the list; click- 
ing on a specific item presents 
that item in a window beneath 
the itemization. There is a 
form designer for the bottom 
window so that each group that 
needs to access the informa- 
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The Visual Process Designer enables creation of graphical workflows that can help enforce development rules. 



tion can see it in whatever way 
they wish, Basu said. 

Other new features in ver- 
sion 4.5 include a workflow 
process engine that enables 
organizations to automate their 
development methodologies, 



S-3 Takes Holistic 
Approach to Security 



BY ALAN ZEICHICK 

The second annual Software 
Security Summit will take a 
broad, holistic view of applica- 
tion security, embracing the 
topic not only as a testing and 
quality assurance imperative, 
but also as a key design goal for 
architects and programmers. 

The conference, scheduled 
for Feb. 6-8 in San Diego, will 
feature keynote addresses from 
Gary McGraw, CTO of security 
software company Cigital; and 
Peter Coffee, respected tech- 
nology columnist for eWeek, a 
newsweekly published by Ziff- 
Davis International. McGraw, 
author of "Exploiting Software," 
"Building Secure Software" and 
the upcoming "Software Securi- 
ty," will discuss how to design 
security into the application 
from its earliest stages. Coffee 
will focus on the attitudes 
behind writing secure software 
in his keynote, "Mediocrity is 
Malpractice!" 

Registration for the 2006 
Software Security Summit is 
running 45 percent above last 
year's attendance, said Ted Bahr, 



president of BZ Media, which 
owns and produces S-3. (BZ 
Media also publishes SD Times.) 

The three-day conference 
begins with one full day of tuto- 
rials, covering how to integrate 
security into the application 
development life cycle, writing 
secure .NET applications, writ- 
ing secure Java/J2EE applica- 
tions, and secure coding in 
C/C++. The second and third 
days consist of dozens of in- 
depth classes that cover manage- 
ment issues, specific hacker 
exploits and code vulnerabilities, 
cryptography and best practices 
for developing better software. 

New classes for 2006 
include "Developing Bullet- 
proof Web Applications" con- 
ducted by Govind Seshadri; 
"Safer Strings in C: Using the 
Managed String Library" by 
Robert C. Seacord; "Applica- 
tion Defense — Software That 
Fights Back" by Arthur Do; 
"Auditing Code for Identifying 
Security Problems" by Bob 
Fleck; "Everything You Know 
About Crypto Is Wrong" by 
John Viega; "Defeating Rootkit 
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Backdoor Attacks" by Greg 
Hoglund; "Secure Coding 
Techniques for Internet Appli- 
cations" by Jim Maloney; and 
"Seven Pernicious Kingdoms: A 
Simple Taxonomy of Coding 
Errors" by Gary McGraw. 

The Software Security Sum- 
mit also includes an exhibition 
hall open for two days. Fortify 
Software is the diamond spon- 
sor of S-3; Kenai Systems and 
Secure Software are platinum 
sponsors; and Ounce Labs and 
Parasoft are gold sponsors of 
the conference. I 



ensuring applications are creat- 
ed in accordance with whatever 
rules are in place, Basu said. 

Also new are the ability to 
trace multiple asset types across 
applications and report on 
them, and the ability to syn- 
chronize workflows across enti- 
ties. "For example, you might 
have a release with 20 require- 
ments and 50 bugs. You might 
say that you can't start integra- 



tion testing until unit testing is 
finalized for requirements and 
issues," Basu said. 

SpeeDEV has added a 
SOAP-based API to the platform 
to enable companies to create 
their own user interfaces, or to 
bring in and share the SpeeDEV 
assets via an enterprise portal, 
Basu said. The API also enables 
integration with third-party tools 
and legacy systems, he added. I 



Essential Process 



< continued from page 12 

happened with UML 2.0. We 
should have sought help from 
the many excellent people with 
background in formal language 
design to make sure that we had 
removed inconsistencies and 
streamlined the design. UML 
can model very complex soft- 
ware, but the more advanced 
features should have been sepa- 
rated from the 20 percent and 
presented in an aspect-oriented 
way, as we will do with the more 
complex extensions to Essential 
Unified Process. The extensions 
must not complicate the base. 
Do you consider Essential UP 
an agile methodology? 
Yes, absolutely. This is one of 
the preconditions for our work. 
Agile, with discipline. 
Microsoft has earlier described 
its modeling strategy as "UML 
and more." Do you agree with 
that characterization? 
Frankly, I don't know. However, 
since Microsoft can stand on top 
of the work done on UML, [the 
company] should have learned 



from the UML experience. I 
have worked with modeling 
languages since [the] late '60s. 
Over the years, I have seen 
people take two different 
approaches. You can call it the 
centralized or the distributed 
language approach. The central- 
ized approach was taken by SDL 
[Specification Description Lan- 
guage] and UML, a common 
meta-model for the whole lan- 
guage. The distributed approach 
has been taken by several larger 
telecommunications companies. 
It basically means that you have 
different kinds of languages for 
different kinds of problems. 
Thus, I have seen different lan- 
guages for different businesses 
and for different disciplines, 
such as business modeling, 
requirements, architecture, test- 
ing, etc. You can call them 
domain specific languages — a 
term that was used at Ericsson 
back in 1990. In principle, both 
approaches work well, but they 
require rigorous, different lan- 
guage design practices. I 
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Under Adobe, Flash Lite 2 Is No Lightweight 

First release of runtime for mobile devices since Macromedia acquisition adds XML parser 



BY EDWARD J. CORREIA 

Having completed its acquisi- 
tion of Macromedia in Decem- 
ber, Adobe Systems on Jan. 5 



began shipping Flash Lite 2.0, 
the latest version of the runtime 
for mobile devices that the com- 
pany claims now includes Flash 



Player 7 and JavaScript compat- 
ibility, and an XML parser for 
local handling of data. 

An updated development 



environment can now emulate 
the runtime's 210 supported 
mobile devices, including 98 
handsets from 11 manufactur- 




ers, the company says. 

Most significant among the 
advances, according to Anup 
Murarka, Adobe s senior direc- 
tor of technical marketing, 
is its ability to parse XML 
data locally. "Now XML data 
sources can be brought into an 
active experience," which he 
said gives developers the ability 
to manipulate and include 
Web-based content such as 
RSS news feeds and enterprise 
data in their layouts. 

And while local XML pro- 
cessing can be a burden on the 
limited resources of a mobile 
processor, he said the capability 
also can help reduce the amount 
of data being transmitted, which 
in turn saves on wireless network 
costs. "XML parsing also enables 
use of SVG content, which is 
based on XML," he said, refer- 
ring to Scalable Vector Graphics 
common to many Web sites. 

Flash Lite 2 now supports 
ActionScript 2, Macromedia's 
application scripting language 
that is based on the ECMA 262 
specification, which grew out of 
JavaScript. 

He added a qualifier: Action- 
Script can process some Java- 
Script commands but is not 
fully compatible. "Typical script 
[commands] that you might see 
on a desktop are not necessarily 
going to exist on a mobile 
phone, like OpenWindow And 
there are things we've changed 
to support animation." 

GROWTH OF FLASH LITE 

Muraka said the improvements 
reflect the growing use of Flash 
Lite. In early 2004, when Sym- 
bian co-founder Juha Chris- 
tensen was hired by Macrome- 
dia to run its then-new Mobile 
and Devices division, the num- 
ber of cell phones with Flash 
Lite preinstalled was near zero. 
Today that number is at about 
45 million, according to Murar- 
ka. Christensen left Macrome- 
dia about a year ago. 

Murarka said the Macrome- 
dia brand will remain on some 
products. Mobile and desktop 
developers use the same envi- 
ronment, Flash Professional 8; a 
free update for Flash Lite 2.0 is 
available to licensed users at the 
Macromedia Labs Web site. A 
beta of the Flash Player 7 SDK is 
available now; release is set for 
February. I 



www.sdtimes.com 



Software Development Times . January 15, 2006 . 



EMBEDDED & WIRELESS NEWS 



27 



A New Company Promotes Proven Software 

Component repository is designed to spur reuse in devices and save developers time 



BY EDWARD J. CORREIA 

Proven Software Solutions is not 
only its name, but also what 
the company claims to offer. 
According to one of its founders, 
the U.K.-based start-up is built 
on the premise that embedded 
developers spend most of their 
time working on proprietary 
software that adds no unique 
value to their designs. 

"Rather than having engi- 
neers developing drivers, which 
do nothing to differentiate a 
product, your engineers can be 
working on things that do dif- 
ferentiate your products," said 
Proven Software CEO and co- 
founder Chris Briggs. 

To that end, the company 
late last year made available a 
repository of embedded soft- 
ware components — drivers, 
protocol stacks and the like — 
that have been contributed by 
embedded developer partner 
companies. The components 
have been developed, tested 
and debugged by the contribu- 
tors, and have been either 
deployed widely in commercial 
devices or running reliably for a 
lengthy period, or are certified 
to be compliant with a widely 
used industry specification. 

"If [someone buys] some- 
thing from us, they're getting 
something that is proven to work 
and is much cheaper in terms of 
cost and development time," 
claimed Briggs. "It also saves 
them debugging and testing time 
because we only take products 
that have been proved to work in 
a product," something, he said, 
that can potentially cost tens of 
thousands of dollars to develop. 

Briggs said that components, 
which are categorized in the 
repository by function, target 
architecture, language and oper- 
ating system, cost between a few 
hundred and a few thousand dol- 
lars, some of which goes back to 
the developing company. "Oth- 
erwise, once you've developed 
and archived [a component], it 
does nothing more for you. This 
way [developers] can realize rev- 
enue from that asset in licensing 
sales." He called the component 
prices competitive compared 
with developing in-house. There 
are no royalties. 

To date, AMD, Intel, Renesas 
and Toshiba have contributed 
about three dozen compo- 
nents, mostly operating system- 
independent C-language device 



and interface drivers. Briggs 
claimed that several major 
U.S. -based embedded software 
companies have expressed 
interest in partnering, but 



would not specify which ones. 

Each component is accompa- 
nied by a data sheet that 
describes how the component 
has been used in the field, its 



benefits, the API (if applicable), 
and of course, source code. 
Briggs noted that while compo- 
nents have been proven to work 
in their original hardware, they 



will require modifications to 
work with other designs. 

The repository is available 
now at www.proven-software 
.com/Software. asp. I 
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It's the right vision, analysts say, but beneath the surface, 
a lack of tool integration, cultural factors slow adoption 



BY JENNIFER DEJONG 



To hear some tool makers tell it, 
the era of application life-cycle 
management is already here. 
Supported by integrated ALM offer- 
ings, they say, architects, developers, 
testers and operations managers are 
working in tandem, producing better 
applications, faster and with fewer 
defects than ever before. 

But according to industry analysts, 
the reality doesn't come close. Most 
development teams have taken only tiny 
steps toward ALM. "What tends to hap- 
pen is that customers buy one or two 
pieces," said Bola Rotibi, senior analyst 



at U.K. -based research firm Ovum, 
referring to requirements management, 
issue tracking, source code control, test- 
ing and defect tracking tools, among 
others. And some customers use the 
tools only as point products, rather than 
in the ALM way, she said. 

Lack of integration among different 
tool makers' offerings, and the chal- 
lenge of working in the new way that 
ALM demands, stand in the way of 
more widespread adoption, the analysts 
say. Nonetheless, they agree that ALM's 
promise of faster, more efficient appli- 
cation development is real, and for- 



ward-looking teams are heading in that 
direction. 

"Organizations that want to be com- 
petitive in the future are paying atten- 
tion to ALM," said David Kelly, presi- 
dent of Newton, Mass. -based Upside 
Research. 

"It isn't just a flash in the pan, a stu- 
pid idea," said Ron Schmelzer, a senior 
analyst at research firm ZapThink, in 
Waltham, Mass. "ALM is sensible." 

J SOA SAYS...' 

Integrated ALM offerings can help com- 
panies comply with government regula- 



tions such as the Sarbanes-Oxley Act, 
which may require, among other things, 
that a company document changes made 
to business applications. But the bigger 
ALM driver is the growing adoption of 
service-oriented architectures. "SOA 
says that everything must work with 
everything else," said Schmelzer. And an 
integrated ALM tool set can help an 
organization more easily keep track of all 
the moving parts. 

"Organizations need to not only 

make sure they have the technical 

processes to deliver application ser- 

► continued on page 30 
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vices," said Kelly, "but they also need 
to make sure they have the organiza- 
tional capabilities to define, capture, 
share and manage service require- 
ments, services delivery and ongoing 
services support." 

In SO A, applications aren't islands, 



^ IT 



ALM is about tool integration and workflow, 
says Forrester's Schwaber. 



they are constellations, added Dana 
Gardner, principal analyst at Gilford, 
N.H. -based research firm Interarbor 
Solutions. "How will an application 
behave when it is deployed in an ecol- 
ogy of other apps and services?" That is 
a question that developers aren't used 
to asking, he said. 

Implemented effectively, and sup- 
ported by underlying tools, an ALM- 
based development process can answer 
that question, said Kelly. "ALM can 
have a big impact on enterprise soft- 
ware development teams when done 
right," he said. "But like exercise or 
diets, effective life-cycle management 
takes some discipline to see the 
results." 

ALM: THE PROCESS 

Step one in adopting a disciplined 
approach is recognizing that ALM is a 
process, not just an integrated tool set, 
said Forrester Research analyst Carey 
Schwaber. "You have to think about the 
processes you want to use before you 
think about the tools," which means fac- 
toring in all the face-to-face interactions 



ALM: IS THE PAYOFF THERE? 



Application life-cycle management promises to 
make organizations that adopt it more produc- 
tive. Analysts believe ALM will deliver on that 
front, but they are not looking for the big pay- 
back anytime soon. 

"The payoff is down the road a ways," said 
David Kelly, president of Newton, Mass.-based 
Upside Research. "It takes effort and work up- 
front for any given company to define the prop- 
er ALM approach." 

Even when companies do cash in on ALM 
investments, the returns are likely to come in the 
form of soft benefits, rather than hard savings. 
The payoff is increased guality, greater respon- 
siveness and better overall management and IT 
governance, said Kelly. Such benefits are geared 
to the corporation overall, which aims to give top 
executives a window in the development process, 
rather than to individual developers, said Zap- 
Think analyst Ron Schmelzer. "Does ALM make organizations more productive? Yes," 
he said. "But individual developers? I am not sure. It adds a lot of overhead." 

ALM forces developers as they are writing code to think about what other peo- 
ple need to be aware of, he explained. "That is very uncomfortable for a lot of pro- 
grammers," said Schmelzer. "They wish they could say, 'Leave me alone and let me 
program.'" But with ALM's arrival, the days of "give me the reguirements and let me 
produce code as a craftsperson" are over, added Interarbor analyst Dana Gardner. 

-Jennifer deJong 
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It takes effort to define the right 
ALM approach, says Upside's Kelly. 



and other communication ALM entails, 
Schwaber said. 

"How are you going to work with the 
business user, the testing team, the 
operations managers? You have to 
understand how the entire organization 



works," said Ovum's Rotibi. "Tradition- 
ally, software development, unlike oth- 
er engineering disciplines, has placed 
little emphasis on process. That's why 
we are at an impasse now." 

► continued on page 31 
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Moving beyond that is diffi- 
cult, especially in established 
companies with deeply en- 
trenched ways of working. 
"There are organizational barri- 
ers," said Schwaber. "Testing 
reports to one boss, program- 
mers report to another." 

ALM is also pulling together 
development and deployment, 
which have long been separat- 
ed, added Interarbor's Gardner. 
"In the past, developers created 
applications based on require- 
ments and dropped them in 
[someone else's] lap, to be 
deployed on the other side of 
the fence." Now, there has to be 
a shift in thinking, so applica- 
tions are designed with deploy- 
ment and flexible implementa- 
tion in mind, he said. 

ALM: THE TOOLS 

And, as if the cultural hurdles 
weren't high enough, the tool 
terrain is rocky, too. "There isn't 
much interoperability between 
different vendors' offerings," 
said Rotibi. Teams can buy an 
integrated ALM suite from a 
single tool maker, she said. But 
in the real world, companies 
have acquired individual tools 
over time, and no one wants to 
rip and replace. "You have to do 
ALM with what you have got," 
she said. 

ALM is about tool integra- 
tion and workflow, added 
Schwaber. "That leaves teams 
to cobble together the tools 
themselves, or demand inte- 
gration from the vendors." 

DECISION MAKERS 
HAVE ALM ON THEIR 
RADAR SCREEN 

Are you aware of r not 
aware of r or already using 
application life-cycle 
management (ALM)? 




Source: Forrester Business Technographics 

November 2005 North American and 

European Enterprise Software 

And Services Survey 



Individual tool makers may 
provide point-to-point integra- 
tion between their product and 
another software company's 
offering, but they aren't likely to 
offer that service for an entire 



cobbled-together ALM suite. 
The Eclipse Application Lifecy- 
cle Framework (ALF) project 
aims to solve that problem, pro- 
viding a loosely coupled, Web 
services-based way to link 



together disparate offerings. 

"ALF has potential," said 
Rotibi. "They are on the right 
track." But the project does not 
expect to deliver its 1.0 release 
until September 2006. 



"The tools' reality is a work 
in progress," said Gardner. The 
tool makers may have overstat- 
ed how widely ALM suites are 
used. But they are doing a good 
job of educating development 
teams about the need to 
improve the software delivery 
process, added Rotibi. "I com- 
mend them for that." I 
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EDITORIAL 

Abuse of The 
Community Process 

BEA, IBM and Sun are at it again. Remember that a 
key principle behind the Java community was "Col- 
laborate on standards, compete on implementation"? 
Well, of late, developers have heard more about "compete 
on standards." 

The latest culprit is a spec called the Service Compo- 
nent Architecture, proposed by a bevy of companies, 
including BEA, IBM and Iona. Sun's crying foul, com- 
plaining that SCA partially duplicates work already done 
by JSR 208, the Java Business Integration (JBI) specifica- 
tion unveiled as the centerpiece of last summers 
JavaOne. 

But don't forget: JSR 208 wasn't a slam dunk. Both 
BEA and IBM abstained in the final approval ballot for 
Java Business Integration, and clearly those companies 
feel no loyalty toward a Java Community Process initiative 
that they didn't support. 

Worse, the fact that BEA and IBM pushed this partic- 
ular project, which includes both SCA and an earlier pro- 
ject from the two companies called Service Data Objects, 
outside the Java Community Process makes one wonder 
exactly what the JSP is for. Complicating matters is that 
SCA is billed as a language-independent platform, so 
while it in part duplicates JBI, it's not clear if the JCP is 
truly the best place for it. 

According to Iona's Eric Newcomer — who supports 
both JBI and SCA/SDO — the proposal will go to Eclipse, 
a Sun nemesis, instead of the JCP. But if that's the plan, 
why were these specs developed behind closed doors, 
rather than using the Eclipse collaborative process? 

Despite the broad acceptance of organizations like the 
JCP, the Eclipse Foundation and the Apache Software 
Foundation, it's still far too common for companies like 
BEA and IBM to develop complete technologies and spec- 
ifications first, and deploy them within their own products. 
Only after they have a comfortable head start, do they seek 
a community rubber stamp of the completed work. 
(Microsoft is just as guilty, using Ecma International to 
"fast track" specifications, like the Office 12 XML schema 
and C# language, into de facto industry standards.) 

These practices abuse the notion of community devel- 
opment and "open standards." 

Groups like the JCP, Eclipse, Apache and Ecma should 
only accept projects if there is some real chance that dif- 
ferent interest groups will have a legitimate say in the 
development of the specifications and technologies. Being 
presented with a complete spec as a fait accompli — and 
then endorsing that spec essentially unchanged — merely 
demonstrates that these organizations are focused on 
pleasing their corporate sponsors, not just on developing 
best-of-breed specifications that create opportunities and 
broaden a standard base for innovation. 

If companies like BEA, IBM and Microsoft have good 
ideas for developing specifications, and want those specs to 
be endorsed by industry consortia, they should develop 
such specifications within those industry consortia, in an 
open, transparent and competitive manner. Then, and only 
then, should those consortia endorse them as standard. 
Rubber stamping does the software development industry 
a disservice. It's time for the consortia to just say no. I 



'iPodify' My Software Now! 



Why can't all software be 
like an Apple iPod: sim- 
ple, elegant and fashionable? 

It's time that software 
vendors follow the lead from 
consumer electronics. Hide 
rich functionality in an intu- 
itive design. Give me tremen- 
dous value for the cost. And 
above all amaze me with your 
innovation. 

Software has gotten boring, 
but this wasn't always so. 
Those of us with speckles of 
gray on our heads (or nothing 
on our heads) remember when 
new releases, whether desktop 
or server, were met with high 
anticipation (yes, even Win- 
dows 3.1, OS/2 Presentation 
Manager and TopView). 

New products almost al- 
ways delivered on the promise 
of innovation, power and sim- 
plicity. These applications 
focused on value over hype. 
Advancements in underlying 
software plumbing were 
always secondary to the func- 
tionality provided. 

THE GREAT WAR 

The enterprise software indus- 
try, though, continues to mud- 
dle through the Great Infra- 



propn- 
versus 



Chris Stone 



structure War. Venerable 
scribes devote their air time 
and ink to every skirmish, 
espousing their beliefs in the 
True Way. These hostilities 
are based on differences in 
dogma (open versus 
etary, open source 
the world), while 
fundamental tech- 
nologies, such as 
J2EE and .NET, 
and vendor and con- 
sortia standards drive 
the development of 
things such as Web 
application servers, 
middleware and por- 
tals. 

Vendor battles are 
heating up, including the 
conflict between Microsoft's 
Metro and Adobe's PDF and 
the new OpenDocument for- 
mats. Well, it's not new techni- 
cally, but new to the hype. 
With IBM, it's all WebSphere, 
all the time. But wait, there's 
NetWeaver from SAP. Oracle 
wants you to use Fusion and 
lOg. And then there's Linux, 
Windows Vista, "virtual" every- 
thing and the mainframe and 
AS/400 (like COBOL, they will 
never die). 



As any user would rightly 
ask: When did it become about 
the vendors and their specifi- 
cations and standards, and not 
about me and my needs and 
my users? Am I just an extra in 
this movie? 



Sure, 



about how 




I care 

things are engi- 
neered. I care about 
standards. I care 
about interoperabil- 
ity. But at the 
end of the day, I 
want a great appli- 
cation that meets 
my requirements, 
whether I am a 
manager, developer 
or analyst. 
And in business, make it 
easy for me to understand how 
it helps me work better. Make 
it easy and painless to install. 
Don't leave me feeling like 
I had a root canal without 
Novocain. 

In the electronic document 
market, where documents are 
created with input from 
any enterprise software applica- 
tions and output to any 
device — users complain that the 
infrastructure-level standards 
discussions miss the point. 



Letters to the Editor 



WHY MAINTENANCE MATTERS 

In the olden days, the first 
genius in the company picked 
up a new software, language 
or methodology and created 
a killer application. Manage- 
ment gave them lots of recog- 
nition and turned it over 
to the next tier of subgenius 
for maintenance and enhance- 
ment. 

That group picked up 
knowledge you gain from 
study and manipulation of the 
existing code. It was possible 
to bring relative novices into 
the maintenance group a few 
at a time and grow really good 
developers and eventually 
architects. 

They learned from and 
improved upon that initial 
example. 

The next group of applica- 
tions written in the same 
software, language or method- 
ology were created by this 
group, and they worked great. 

Enter the current time. 
The killer application is either 



developed offshore or imme- 
diately shipped there for 
maintenance. 

It may or may not have 
been the best example of the 
technology. No lessons are 
learned in-house. No next 
set of developers gets the 
advantage of working with an 
example. 

The chance to grow new 
developers in the technology 
goes overseas. 

This is the same thing that 
happened to our engineers. 
When the manufacture was 
here, they could go out and get 
their hands dirty. They could 
see the problems firsthand 
and adapt. 

Now even the engineering 
is done offshore, and the 
number of kids willing to enter 
a field where opportunities are 
limited and all practice is 
theoretical has plummeted. 

Advantage offshore! Set! 
Match! 

Lissa Klein 

SBC (Now AT&T) 



FOREVER FILING 

Mr. Binstock's column ["The 
100-Year Document," Dec. 15, 
page 35] brought up a lot of 
valid arguments for a file for- 
mat that is not dependent on a 
vendor to own or maintain the 
software required to access 
the files. It is true that Adobe 
may not be around 100 years 
from now. But since PDF is a 
publicly available specifica- 
tion, developers have been 
able to build tools for creating, 
viewing and manipulating 
PDFs for years without 
Adobe's involvement. 

At the end of the column, 
Mr. Binstock states that gov- 
ernments and vendors need to 
develop a consortium to devise 
and commit to a standard. This 
process is already well on 
its way with the development 
of PDF/Archive— PDF/A for 
short. 

A subset of PDF, the format 
was designated as an ISO stan- 
dard in September. The organi- 
zations involved in establishing 
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APPS r NOT INFRASTRUCTURE 

Users don't buy infrastructure. 
They buy technology that 
solves a specific problem or 
meets a specific need. In other 
words, they buy applications. 
The technology industry lost 
sight of this fact in the supply- 
side-rich late 1990s and paid 
the price. 

Let's learn from our mis- 
takes. It is time to move from 
infrastructure to "How the 
hell do I increase revenue?" 
to let users focus the discus- 
sion on what companies are 
trying to do with the data they 
present to customers, not on 
the infrastructure they use to 
doit. 

For example, one of the 
largest private banks in 
Europe turned to EDP soft- 
ware to aggregate data from 
different sources in one cus- 
tomer-facing document and 
present it in a compelling 
document that is delivered in 
any format the customer 
wants: e-mail, snail mail or 
online. It's the software appli- 
cation that helps them create 
a brand and boost customer 
satisfaction. 

A national postal service 
that handles 20 million pieces 
of mail every day needs to 
integrate a Tower of Babel 
group of systems into its ERP 



environment so customers get 
their mail on time. The cus- 
tomer isn't saying, "Get me 
another Java programmer!" 
Instead, the people are asking 
for an application that takes 
what it needs from all their 
systems and lets them expand 
their services as customer 
demand grows. 

I'm not suggesting that 
innovative standards-based 
trends such as XForms and 
Metro versus PDF aren't 
important issues. But let's keep 
these discussions within the 
context of the applications they 
will enable. 

If a vice president in a large 
retail bank has to increase and 
cross-sell more products in a 
dozen languages to thousands 
of customers, do you think he's 
saying, "I know: Use XML"? 
Of course not. 

If a large electronics retail 
chain needs to synchronize six 
different data sources onto 
shelves where 78 million price 
tags can be changed in real 
time to react to competitors, 
do you think they say, "If we 
just use SOA and Linux, we're 
there"? If I dig a really deep 
hole, when will it stop? 

If you learned a language 
like COBOL or PL/1, you can 
pick up most others. SOA and 
Web services? We called them 



FTP and CORBA 15 years 
ago. PDF, XFA, ODF and 
Metro? We called the underly- 
ing technology OpenDoc a 
dozen years ago. Not to be 
outhyped by Apple and Tali- 
gent (remember that IBM 
joint venture?), along came 
Microsoft with OLE (which 
it really got from HP's 
NewWave), Sun with Java- 
Beans and a host of other 
components that fueled the 
debate but never really devel- 
oped a solution. 

I have always been amazed 
at how much attention, time 
and money has been spent 
over the past 30 years on 
plumbing when what business- 
es really wanted was to flush a 
toilet and make ice. 

In the end, isn't it all about 
creating, editing, storing, delet- 
ing and presenting via multiple 
channels (such as print/fax 
/e-mail/SMS/Web/hologram)? 

The world of computer sci- 
ence is filled with smart, 
sophisticated people trying to 
prove it. It's not really science, 
its math. 

If you want a software pro- 
ject to be successful and pro- 
ductive, you hire a bunch of 
like-minded developers who 
are fanatics in a language, 
infrastructure or service. It 
doesn't matter what they use. 



Successful software is either a 
category creator or a simpler 
process. 

It's time to focus the dis- 
cussion on what companies 
are trying to do with the data 
they present to customers, 
not on the infrastructure they 
use to do it. Customers should 
always write down the busi- 
ness requirements of the 
problem they are trying to 
solve. 

Ever read a requirements 
document from a Global 2000 
company? It looks as if it 
were crafted by 25 computer 
science grad students who 
just poured through 15 
computer trade publications. 
You need a Wikipedia to fig- 
ure it out. 

NOW WHAT? 

It's all about unlocking the data 
locked up by ERP, CRM and 
ECM. Okay, I've input 
it, stored it, archived it, man- 
aged it and looked at it — now 
what? How do I present it 
to somebody to attract more 
business? 

That is the most important 
question of all. I 

Chris Stone is president and 
CEO of StreamServe, which 
provides business communica- 
tions management software. 



this standard include AIIM, 
NPES, the National Archives 
and Records Administration, 
and the Library of Congress. 
Melonie Warfel 
Director, Worldwide 
Standards, Adobe Systems 

Andrew Binstock responds: 
PDF/ A is a step in the right 
direction. However, it will 
become a true solution only 
once the adopting agencies pro- 
vide a mechanism by which we 
can be certain that documents 
encoded today will display the 
same in 100 years or more. 
This, I believe, requires a public 
and perpetual commitment by 
these agencies as well as the 
proper funding. 

WHAT DO YOU THINK? 

SD Times welcomes feed- 
back. Letters should include 
the writer's name, company 
affiliation and contact infor- 
mation. Letters become the 
property of BZ Media and 
may be edited for space and 
style. 

Send your thoughts to 
feedback@bzmedia.com. 
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Keeping Open Source Moving Forward 



In my previous column, I discussed 
how open source today has morphed 
from a grass-roots revolution into a pro- 
fessional phenomenon. That is, most 
contributed code today is written by 
professional developers who are paid to 
write it. As with all shifts, this transition 
brings good news and bad. The good 
news is that high-quality open-source 
products keep coming to market at a 
remarkable pace; the bad news is that 
the bar to entry for new open-source 
developers keeps going higher. Whether 
the same grassroots movement that cre- 
ated GNU tools, Linux and Apache 
could deliver such important products 
today is a question that has no clear 
answer. 

Still, sensible but smaller-scale solu- 
tions can grow and prosper in the inter- 
stices between other products. Consider 
the Spring application framework, 
which is quickly gaining momentum as 
an alternative to J2EE. It evolved from 
the code presented by Rod Johnson in 
his book "Expert One-on-One: J2EE 
Design and Development" (Wrox, 
2002). And, during the past two years, it 
has gained traction by the contributions 
of numerous volunteers. 

Contributing to these smaller-sized 
projects is still possible and fun for the 
after-hours hacker, but as projects 
increase in size and complexity the 



number of people who can contribute 
meaningfully begins to dwindle. This is 
due especially to one factor that works 
against the grass-roots contributor: the 
sheer complexity of today's projects 
(which is often made worse by a pauci- 
ty of documentation for the code). But 
I'm getting ahead of myself. The right 
way of looking at the question of ama- 
teur contributions to open source is to 
consider what makes projects viable. 

I asked this question of 
Miguel de Icaza (who leads 
the Mono project) some years 
back, and he instantly shot 
back, "You have to be able to 
build a community." Other 
project leaders all say the 
same. A community requires 
three preliminaries: a great 
idea, a good programming 
start that attracts contributors 
who can extend the basic 
implementation, and a way to make the 
project widely known among potential 
contributors. 

If you get that far, which is further 
than most open-source projects do, you 
need to know how to build and maintain 
that community. This takes considerable 
skill. Linus Torvalds was very good 
at this, as is de Icaza. (See his blog at 
tirania.org/blog for an example of how 
to keep a community apprised of its 
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members' progress and how to share 
credit without the slightest trace of con- 
descension.) 

Still, personal diplomatic skills are 
only one aspect. The community has to 
have the right texture. If it doesn't, it 
can split apart to the detriment of the 
project (as with the Parrot/Perl 6 virtual 
machine). Finally, you will need to know 
how open-source communities func- 
tion, so that your contributors' mindset 
is met with the expected 
reality. No better guide to 
this world and its workings 
exists than Karl Fogel's "Pro- 
ducing Open Source Soft- 
ware" (O'Reilly, 2005), which 
explains the lay of the land 
and gives important practical 
advice on navigating the 
bumps and moguls. The book 
is an equally useful guide for 
contributors. 
Attracting contributors and holding 
on to them is one view of the open- 
source dynamic. But the view from the 
other side is that of an outsider looking 
in: the developer who wants to con- 
tribute but does not know how. These 
contributors, I believe, mostly fall into 
two categories: those who need a specif- 
ic feature and are willing to try to imple- 
ment it, and those who are attracted to 
the project and want to help in a more 



plenary fashion. The former far outnum- 
ber the latter. The problem they face, 
though, is one of navigation: where to 
make the needed change and how? 
Many projects have poor documentation 
on the workings of the software, and 
almost nothing at all on the workings of 
the code. 

This is where the model of personal 
contributors begins to break down. The 
task of acquainting oneself with a code- 
base and understanding the specific 
code in the neighborhood of the patch is 
so time-consuming that only profession- 
als have the bandwidth to do this any- 
more. (Actually, amateurs who have 
been with the project from its early 
stages can participate because their 
mental maps have grown organically 
with the project. But this dynamic 
means that at some point, the size of the 
codebase imposes a sufficient barrier to 
entry that the current contributors rep- 
resent the maximal number of nonpro- 
fessionals who are able to participate. 
Beyond that size, the numbers taper off, 
as I mentioned previously.) 

The scope of projects is not likely to 
decrease, and so, the trend of profes- 
sional open-source development will 
only intensify. Fortunately, because 
companies find benefit in the practice, 
open source will continue to grow. But it 
will no longer use the model that origi- 
nally brought it acclaim. I 

Andrew Binstock is the principal analyst 
at Pacific Data Works. 



I Text, You Text, We All Text for iText 



I have a soft place in my heart for type- 
setting systems. I've built several over 
the ages, and have typeset many of my 
own books. My monthly C Chest col- 
umn in Dr. Dobb's Journal was canned 
in 1987 largely because of my "wasting" 
three months presenting the source 
code for my version of a markup-lan- 
guage interpreter that did layout: troff. 
(The editor insisted that both Unix and 
markup languages were irrelevant, 
obsolete technologies. For what it's 
worth, Bill Gates was saying exactly the 
same thing about HTML at the time.) 

I'm going to try my luck again: In my 
Dec. 15 column, I promised that I'd 
report back on a typesetting system: 
iText, Bruno Lowagie and Paulo Soares' 
PDF-creation library (www.lowagie.com 
/iText). Let's pick up that thread. 

To refresh your memory, a project 
required me to create a few simple 
printed reports — the complete con- 
tents of which weren't known until 
runtime— in CSV, HTML and PDF 
formats. I rejected JasperReports, 
which I found to be an overly compli- 
cated, poorly documented nonsolution 
to this problem. You know something's 
wrong when it's harder to use the tool 
than it is not to use the tool. 



The iText library — the PDF-genera- 
tion library that JasperReports uses — is, 
on the other hand, very good. iText is 
a full-blown typesetting system that 
lets you do in Java pretty much every- 
thing you can do with PostScript. You 
can use iText to lay out complex docu- 
ments containing both text and images 
to produce a PDF represen- 
tation. (Note that iText also 
can produce HTML and 
RTF files, but it doesn't do as 
good a job in these formats as 
it does with PDF. The table- 
layout classes, essential for 
reporting applications, work 
only with PDF output, for 
example.) 

Though it does have all 
the low-level APIs that you 
need to build a real typesetting system, 
the real strength of iText is the high- 
level objects that let you manipulate 
the document at the level of paragraph 
and chunk. (A chunk is part of a para- 
graph.) You assemble a paragraph sim- 
ply by adding chunks of text to it, and 
can easily modify paragraph attributes 
like font size and margins. There's also 
a very nice set of table-creation objects. 
The vast majority of applications can 




get by with nothing but these simple- 
to-use APIs. 

On the output side, iText uses the 
Builder design pattern. You attach a 
"writer" as defined by that pattern to 
the document you're creating, and 
that writer takes care of the mechanics 
of building a particular output format. 
That is, you can create a doc- 
ument without needing to 
know whether the ultimate 
output format will be pdf, rtf, 
html and so on. 

iText documentation is a 
mixture of the usual JavaDoc 
and an online tutorial called 
"iText by Example." The fact 
that this tutorial is not print- 
able is a definite negative, 
but it's well organized and 
easier to use than many online tutori- 
als. The tutorial presents the material 
in a linear way that guides you through 
the entire library, as compared with a 
blob of links that force you to bounce 
around in the material more or less 
randomly. There are a few minor lin- 
guistic anomalies (the author likes to 
say "Remark that" instead of "Note 
that," for example), but they don't get 
in the way of readability. 



The main problem with the tutorial 
is that it's not complete. The PDF- 
Form-generation mechanisms are not 
covered, for example. 

Very much on the plus side, the tuto- 
rial is laid out using a use-case approach 
that I've advocated in the past. It focus- 
es on tasks that you are likely to per- 
form, then tells you how to accomplish 
those tasks. It's also organized in such a 
way that you can get to work immedi- 
ately if you're doing simple stuff, rele- 
gating the gory details that you're not 
likely to need to later sections. There 
are plenty of coding examples. 

Consequently, I've decided to code 
directly to the iText APIs rather than 
using a report-generation package like 
Jasper. The resulting report will be both 
better looking and easier to code than 
the Jasper equivalent. Moreover, 
though iText can create HTML output, 
it is easily integrated into a Servlet to 
deliver PDF directly to the browser. 
Since this way of working gives me a 
better-looking page than the HTML, I 
plan to skip the HTML entirely and just 
present PDF to the user. And the icing 
on the cake is that I can do iText with- 
out any XML whatever. I'm happy. And 
I still have my column! I 

Allen Holub is an architect, consultant 
and instructor in C/C++, Java and OO 
Design. Reach him at www.holub.com. 
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3rd Annual Gathering of the Eclipse Community 

eclipse-centric 

EcEipseCon is the premier technical and user conference focusing on 
the power of the Eclipse pEatform. 

From implemented to users, from plug-ins to business models, and 
everyone in between, if you are using, building, or considering 
Eclipse, EclipseCon is the conference you need to attend, 



March 20*-23n», 2006 

Santa Clara Convention Center 



Keynotes: 
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This fs your opportunity to get in-depth technical information 
from the Eclipse experts, learn the latest tips and techniques for 
using the tools, network with fellow enthusiasts and experience 
the breadth and depth of the Eclipse community- Attending 
EclipseCon will expand your knowledge and make Eclipse work 
better for you. 

Over 90 Sessions and tutorials include: Ed Ipse Platform - Rich Client Platform (ftCP} ■ Test and Performance 
Tools - De bugging - J2EE Development - Web Development and Tools - Building Piug-Jns - Modeling Framework 
(EMF) ■ C/C++ Development - Business Intelligence and Reporting ■ Embedded Development 



Register at www.eclipsecon.org 
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Cand C++ can be made as safe as 
managed languages like Java and 
C#, with a minimal runtime overhead 
penalty. While no one technique can 
eliminate all buffer- and pointer-related 
security holes, there is a set of tech- 
niques, libraries and tools that can cap- 
ture all such holes. Only a fraction of 
vulnerabilities require runtime instru- 
mentation, making the average runtime 
penalty for a provably safe C or C+ + 
program in the low single-digit percent 
realm. This is the claim of Plum Hall 
Inc. and its "Safe- Secure C/C++" pro- 
ject, at www.plumhall.com/sscc.html. 

When I first heard the claim, I com- 
mented to a friend that if it were anyone 
but Tom Plum making it, I'd dismiss it as 
spam. Those of us who watch the soft- 
ware development industry regularly 
receive claims of breakthroughs that 
vastly overreach their capacity; solutions 
to C's buffer vulnerabilities are as pre- 
dictable as visual tools that "eliminate 
programming altogether." 

Tom Plum, though, is the compliance 
guru of the ISO C++ Standards Com- 
mittee, and his company produces con- 
formance suites that validate C, C++, 
Java and C# compilers' adherence to 
standards. (He is also a friend and neigh- 



Type Safety 

bor of mine and, in years past, I've occa- 
sionally consulted to Plum Hall.) 

As SD Times columnist Andrew Bin- 
stock has ably pointed out in his recent 
columns, C remains the most important 
language in the realm of open-source 
software. I would go further and say that 
C and C + + remain the most important 
languages for professional 
programmers. Not for profes- 
sional programming, neces- 
sarily, but for programmers. 

Proficiency in C, coupled * 
with (at least) a working 
understanding of C++ as a 
more type-safe version with 
objects, is the single most 
valuable technical ability for 
a professional programmer. 
This has been shown in every 
analysis of job postings for more than a 
decade, as well as being intuitively obvi- 
ous to anyone who's been on either side 
of a technical interview. 

The well-deserved acclaim for man- 
aged languages has for a decade largely 
drowned out advances in C/C++. There 
is ample evidence that it may be time for 
C/C + + s return to the spotlight, with the 
arrival of exciting projects like Safe- 
Secure, C++/CLI and Concur (Herb 



Windows &. NET Watch 



Sutter's proposal for high-level concur- 
rency abstractions, which I will discuss 
in a forthcoming column). 

Legacy codebases and performance 
are the Scylla and Charybdis of C/C+ + 
vulnerability. C/C++'s long history and 
universality guarantee that essentially all 
nontrivial projects incorporate large 
codebases, libraries and com- 
plex build scripts. Remediat- 
ing a thousand lines of code is 
one thing, remediating a mil- 
lion is entirely different. 

Using the safe version of 

the standard library func- 

■ tions is certainly the first 

^FjS step (hello slrcpy_5Mi, but 

things quickly move beyond 
search-and-replace when 
you get into data structures 
and unions. On the other hand, you can 
punt on source-code changes and try a 
new memory-management subsystem, 
thinking that "managed languages do 
this with little overhead," but doing so 
has always forced a decision between 
restricting C/C + + or accepting an 
overhead that can actually be higher 
than that achievable in more restricted 
languages! 

Plum's strategy, though, is not to 




attempt a single "general case" solu- 
tion, but to use tiers of strategies and 
tools, beginning with source-code 
remediation. He claims that by the time 
his techniques get to the need for run- 
time checking, it's such a constrained 
circumstance that the overhead can be 
minimal. To test, he has tackled por- 
tions of the SPEC/GPC benchmark 
suite. Is it surprising that, even in such 
pored-over code, he discovered vulner- 
abilities (arising, apparently, from some 
obscure and unlikely combination of 
command-line switches)? He claims 
that the resulting "safe and secure" 
benchmarks run with less than 10 per- 
cent overhead. 

If Plum's extraordinary claims are 
true, the thing that's most intriguing to 
me is the possibility of introducing 
PKI-style "trust chains" into the execu- 
tion of software, especially critical 
infrastructure software such as firewalls 
and routers. Sadly, Plum says that he 
faces a chicken-and-egg problem in 
that the compiler vendors aren't seeing 
security at the top of customer demand 
and that customers are not demanding 
it because they aren't aware it's a possi- 
bility. So if you'd like to see C/C+ + 
secured, start screaming. I 

Larry O'Brien is a technology consul- 
tant, analyst and writer. Read his blog at 
www. knowing, net. 
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NAVIGATE • EXTRACT • REPURPOSE 

WEBQL 



MAKE THE 
WORLD WIDE WEB 
YOUR DATABASE 



WebQL — advanced data 
extraction integrated 
with IBM's Unstructured 
Information Management 
Architecture (UIMA). 
Available as installed 
software or hosted service. 
Download free trial 
software or request a 
proof of concept. 



QL 

software 



316 Occidental Ave S, Ste 410 

Seattle, Washington 98104 

TOLL FREE: 800-750-8830 

MAIN: +1-206-443-6836 

FAX: +1-206-269-0694 

www.ql2.com 
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Dead Reckoning 



Industry Watch 
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Oct. 1, 1492: Christopher Columbus 
and his crew have sailed for more 
than a month, yet there still is no sight of 
land. With nothing but a compass and 
quadrant (an earlier form of the sextant) 
to guide them, and by using primitive 
time and distance calculations, Columbus 
can track how far his ships have traveled. 
What he cannot tell, and what is much 
more important to the crew, 
who have been bobbing about 
in the vast Atlantic Ocean in 
small wooden ships, is how 
much farther they have to go. 

Because the entire voyage 
is based on the theory that 
they can reach Asia and the 
East Indies by sailing west 
from Spain — something no 
one has yet done and mea- 
sured — they really don't know 
how close or far they are. In his journal, 
Columbus notes that they have had clear 
skies and steady winds, but now the 
crew is getting angry and fights have 
broken out. There is even talk of throw- 
ing Columbus overboard and turning 
around to sail back to Spain. 

Oct. 7, 1492: Land ho! Columbus 
does not see the fine cities described by 
Marco Polo during his earlier visits to 
the Orient. In fact, the people are of a 
different color and not wearing very 
many clothes. He believes he has 
reached islands just east of Japan. 

This was a time before celestial navi- 
gation, before a course could be charted 
by the ship's position in relation to the 
stars. Sailors of Columbus' day would 
measure their course and distance from 
a starting point — plotting their direction 
using a magnetic compass, and calculat- 
ing speed (and thereby distance) by 
throwing some piece of flotsam over- 
board and seeing how long it took the 
ship to pass it. This method of navigation 
is known as dead reckoning. 




More than 500 years later, despite all 
the advances in technology that have 
occurred, many software developers 
find themselves in the same boat as 
Columbus. They embark on projects 
without really knowing how far they will 
have to travel, if the seas will be rough or 
smooth, and — in many instances when 
requirements change very often — where 
they will end up. 

Mike Cohn, a senior con- 
sultant for Cutter Consor- 
tium, believes, as the sailors 
before him did, that it's 
fundamentally more impor- 
tant to know how much fur- 
ther a software project has to 
go than how much time has 
been spent on it already. 
Unfortunately, he said, most 
metrics tools can only mea- 
sure where a project's been. To see 
where it's going, some of the principles 
of dead reckoning apply. 

"Teams get caught up tracking how 
many hours they've put in," Cohn told 
SD Times. "But I want to know how 
many I have left." Tools, he said, can tell 
you that you've spent six hours on a par- 
ticular piece of a project, and that you're 
90 percent done. But like seafarers sail- 
ing into a strong gale, what seems to be 




progress to a development team actually 
is losing ground. "You might have 
worked 50 hours, and the tool could tell 
you you're a certain percent closer to 
completion, but in those 50 hours, you 
might have learned that the project will 
require another 100 hours. You worked 
hard all day but hit a headwind and were 
pushed back farther than from where 
you started." 

Cohn is a proponent of the agile 
process known as Scrum, which uses 
burn-down charts, daily meetings and 
short iterations to help navigate a course 
through a development project. "You 
say, 'Let's sail from here to here and give 
it two weeks.' You try to work in short 
iterations because you never really know 
the long goal." 

The burn-down chart helps managers 
assess how a team is doing in terms of 
meeting its goals, if the release will be 
on time with the desired quality and 
functionality, and how the product is fill- 
ing out compared with what's needed. 
Cohn explained that team members 
commit to how much work they can 
complete in, say, two to four weeks. 
Each day, a log is updated with how 
much work was completed and how 
much is left. "It shows where you're 
going, and if you're finishing the right 
amount to get there." At those daily, 15- 
minute meetings, three questions are 
asked: What did you do yesterday? What 
are you doing today? What are the 
impediments to getting it done? 

The aforementioned advances in 
technology have also brought excellent 
project forecasting and estimation tools 
that help managers ensure the work 
remains on track. The combination of 
improved processes and more powerful 
tools can raise the level of development, 
and ensure the project ends up where it 
was expected to when it first left port. 

Imagine what Columbus could have 
accomplished with GPS. I 

David Rubinstein is editor-in-chief of 
SD Times. 



IBM announced two acquisitions last month — one in the area of network man- 
agement and the other in portal technology. First, IBM said it will acquire network 
management software provider Micromuse for about US$865 million, or $10 per 
share. IBM intends to integrate its software into Tivoli and strengthen its Tivoli 
systems management business unit. The San Francisco-based Micromuse has 
about 650 employees; its software handles voice and video traffic as well as data. 
In the other deal, IBM signed an agreement to acquire Bowstreet, a Massachu- 
setts-based provider of portal technology. Bowstreet will help further IBM's 
strategy around SOA and enable customers to combine a wide variety of pre- 
existing data into composite applications, or into a WebSphere Portal environ- 
ment. Financial terms of the transaction were not disclosed . . . Oracle 
announced an update to its multicore processor licensing policy, which increases 
parity among hardware vendors and helps customers take advantage of advance- 
ments in multicore processor chips from vendors such as AMD, IBM and Intel. 
The processor definition has been amended as it relates to counting multicore 
chips to determine the total number of processor licenses required. A detailed 
explanation of the new policy can be found at www.oracle.com/corporate 
/pricing/sig.html. 



EARNINGS: Fiscal 2006 second-quarter revenue for hardware maker Palm was 
announced at US$444.6 million, an increase of 18 percent from the year-ago peri- 
od. Net income on a non-GAAP basis totaled $22.4 million, or 47 cents per share, 
down from last year's net income of $27.2 million, or 53 cents per share. Palm cit- 
ed a change in tax rate between the reporting years as a reason for the decline 
. . . Oracle released fiscal 2006 Q2 GAAP revenue of US$3.3 billion, up 19 percent 
compared with the same quarter last year. Total non-GAAP revenue increased 23 
percent, to $3.4 billion, for the quarter. GAAP earnings per share were 15 cents, 
down 2 percent from Q2 last year, while non-GAAP earnings per share were 19 
cents, up 16 percent. Quarterly GAAP net income was $798 million, down 2 percent, 
while non-GAAP net income was $972 million, up 16 percent ... The SCO Group 
reported revenue of US$36 million for fiscal 2005 ended Oct. 31, a decline from 
$42.8 million from a year earlier. For the year, the company posted a net loss of 
$10.7 million, or 60 cents per share. In fiscal 2004, the company's net loss was $16.2 
million, or $1.07 per share. "Even though the company incurred net losses during 
the fourth quarter and fiscal year 2005 as a result of expenditures for its continu- 
ing litigation, the management team accomplished its objective of returning the 
UNIX business to profitability," said Darl McBride, president and CEO. I 



CALENDAR OF EVENTS 



Black Hat Federal 

Washington, D. C. 
BLACK HAT 

www.blackhat.com 



Jan. 23-26 



VSLive Jan. 29-Feb. 2 

San Francisco 

FAWCETTE TECHNICAL PUBLICATIONS 

www.ftponline.com/conferences/vslive/2006/sf 



Developer Relations 
Conference 

San Francisco 
EVANS DATA 

www.evansdata.com/drc2 



Feb. 6-7 



Software Security Summit Feb. 6-8 

San Diego 
BZ MEDIA 

www.S-3con.com 



RSA Conference 

San Jose 
RSA SECURITY 

2005.rsaconference.com/us/C4P06 



Feb. 13-17 



Web Services/SOA Feb. 27 

On Wall Street 

New York 

LIGHTHOUSE PARTNERS & FLAGG MANAGEMENT 

www.webservicesonwallstreet.com 



SHARE 


March 5-10 


Seattle 




SHARE 




www.share.org 




Business 


March 6-8 


Intelligence Summit 




Chicago 




GARTNER 




www.gartner.com/2_events/conferences/bi4.jsp 


Emerging 


March 6-9 


Technology Conference 




San Diego 




O'REILLY MEDIA 




conferences.oreillynet.com 




Intel Developer 


March 7-9 


Forum Spring 




San Francisco 




INTEL 




www.intel.com/idf 




SD West 2006 


March 13-17 


Santa Clara 




CMP MEDIA 




www.sdexpo.com 




BrainShare 2006 


March 19-24 


Salt Lake City 




NOVELL 




www.novell.com/brainshare 




EclipseCon 


March 20-23 


Santa Clara 




ECLIPSE FOUNDATION 




www.eclipsecon.org/2006/Home.do 




Game Developers 


March 20-24 


Conference 




San Jose 




CMP MEDIA 




www.gdconf.com 




LinuxWorld 


April 3-6 


Conference & Expo 




Boston 




IDG WORLD EXPO 




www.linuxworldexpo.com/live/12 




Embedded Systems 


April 3-7 


Conference Silicon Valley 


San Jose 




CMP MEDIA 




www.esconline.com/sv 





For a more complete calendar of U.S. software devel- 
opment events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to events@bzmedia.com. 
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www.in5tantiations.com 
1-800-808-3737 



RCP, SWT & Swing 
GUI Construction 

Key Capabilities 

■ WYSIWYG editing & instant test 

• Build Eclipse RCP applications 

• Bi-directional code generation 

• Intelligent layout assist 

• Graphical menu editing 

• Widget morphing & templates 

• Free-form code editing 

• Zero runtime overhead 

• Seamless Eclipse,. Rational 9 fii 
WebSphere® Studio Integration 

Risk Free Trial Copy 

www. i nsta nt rat ion s .co m/ wi ndowbu N d er 



CodePro AnalytiX 



Automated Code Audit 
Sl JUnit Test Generation 
Key Capabilities 

• Detect Bt correct code quality issues 
. . .Automatically 

• Define, distribute & enforce quality 
standards across development teams 

• Powerful management reporting 

• Code metrics with drilldown & triggers 

• Audit Java, JSP and XML files 

• Automatic JUnit test case generation 

• Code coverage analysis & reporting 

• Dependency analysis & reporting 

• Integrated team collaboration 

• Javadoc analysis & repair 

• Seamless Eclipse, Rational® St 
WebSphere 3 Studio Integration 

Risk Free Trial Copy 
www .instantiation sxo m/ co d op to 
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WindowBuilder Pro & CodePro Analytix 
...don't do Eclipse without them! 
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